Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report payment_advice.exe

Overview

General Information

Sample Name:payment_advice.exe
Analysis ID:553346
MD5:8c111a2fb2509662db26b214b72e4e36
SHA1:1706e12b96c88c74b1551184770221ae90eded88
SHA256:18dee23d492e67fd0644205091068422a7322f94f9028a4a85a87505e6003cb8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected AsyncRAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Executable has a suspicious name (potential lure to open the executable)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • payment_advice.exe (PID: 6548 cmdline: "C:\Users\user\Desktop\payment_advice.exe" MD5: 8C111A2FB2509662DB26B214B72E4E36)
    • RegSvcs.exe (PID: 5580 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6872 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "185.222.57.80", "Ports": "6275", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "QezdxbEnAcR8YRyfVhhUW7fy58KZtsCM", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "20", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPsgY74fnNwbIPR6dDIAXTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwMTExMTUxMzQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImeGbwefUPZlenM9ZLOLyWoIfTUQbvfSf2I4aTtRtrJV0PvNEvbnGLJBVZe2Pl0/07x8Tk2rB11VhT66e/qyj/1GaK2lCocdlZY1I5bbDPiVaENZ3Pd4XFA00Am9axKENbivQzVj9NT8HlT1ymPK1utCLa7IWfmf5SR76DG8iaClYf0QiNFizdty7Bmhnc5ZS9xFI7tWzao+K0Ds7iD0IEQvKPWVAdssV/Y0rDXxcNcYo0iKDU4Qln8Hwgeuqh+ZFSgwwYnbDCfyKHO85s7GCD4MluE6vYBla1guC8SRWvRTIop+edRyivzmQ17cX+9K6W/UcReXkrNe4UEDbSKNzxwp65yTww4B95eJEXiKzrmNpPq1jEs8okWRoPluIKi2SEOMQcUwb6VcNamWQxwnW2WMPswRpcFVedgU0mUTs4AzLhUt8vhf5e3zAs5fYY7G2NtNMUzXgR2AkhbG30dIguSUFxCiyoXL15+Z4aKudbOycqydKoeGghHd9Lgl78N7mjNuM0Ti5YNeHltKbqEb10P5K4ZaSaWQe2FjTTY0/PjTqwUGouJcXg+vG6JYcsfFw4a6n3kivC7AOPYsdvMLuq+D3Rg/wrlo7ZfgzvkZojzjBboBRDbMi57Y8W77i+VEb81VlPwmTcbzP6dFcrfJVmVOgDRW3q96OD9HxfMXQxZAgMBAAGjMjAwMB0GA1UdDgQWBBTaL3HojDpid9l5Z4ww/A0enwsLHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA4PTTl66juqXrGz2R4fBZ1Dy3CfIL590qgWNuzGTkqR2uC54F9gG0bhexUBfK5OZp0ypmQlfRIRw5e6bXXmizGmHXGKdirG4dIiwK2hh/9ENP7D8nafAeIaB935RopQHSR6qXrbm2IiJFJySnfZLCnWADOPq0zy3YlD62JA07DNvEyQKq7v128VkpFPGzCIeFBxcbrLvadpEv71py3DwZJU+FYn2tqFBZPTtVkZcPIlSdG2+f5lp1FlgTZa+p+5pUYrLyH5KI3BZBLpZy29j1/Yy/x5N6eVi7zHNoin4VtMlx8oSKxNfx8C66palvTiw3/Ga9NVyWkvFO43ddgMsdAfJ0CryfKLaK3D9vfd1HgdH6AFB+lHh51ANUeNgRnlngCQ5NZL9PTOBywiHV9aPV1lQPUlbE9SLlmgZfXDzxxHOE+eHR+FpOumMxrEiUAn/x3xRN6jgq1opAJ8dgK1JRx76pC3eXPvyNmz6NPUaVb2oOI+nBDdnAyUWlOY84JrycPi8qt0HbL7FOMhwJKk3wE7zdL32h+bRhef2VediBaEnPI38ZNk6Nn7lYkSifkhOeDTHR2WMo5TNEM+bMpb66/kySmGBEY7f4w0R8190mxufBfIYKeimOunDuRukbKXpNEnmkSPoysVZP9r/KmF0iE57g6FDmfF5ixPsz7B4OS4A==", "ServerSignature": "HIVbYAPWifBLFM1dIsEfxbnVJ30YJJhWw82LHYtKmHEC3g/lAwZ5luRjZRWAz1JR169Sn8cJckChtzpnJtaXs6xUOq3xWorDyH9CxmCYqSkPU3OLjEtGBWOhUlAkUyMsAegVguFE9yC3QsL7d9ry54trgH3tAg6a34DzC51v1nMppCNNKptEDh0p2rg8s1IotSV6LVOItcGaHuTjpqfTeXeg/eAL7+fWNw5FMH5j+j5OpNOELl2Y9mbJvjzZ7v7Ff5YXkcEopiyWuEW9eIjuNyOrBU0a9H9MOaSN091fxYLVYDYWVxzt1PbJWRdyLWE00EVdejlfQipA45wZVidw9RxD2O67SVlBO5mm+KQd80ISK1fbp3hZ9hX9OyH//2OwJPiL61w1i5owalTZMVlQ13Gfv1pubixjVVvO7aZwGlmEqWrGDqlyElrefhfni7aWdPIbeBaD1LSv91pHDOTzmrr0nePUF66dkKLcs/BwygcY+XesKJQROtWzWrkFc+jmezq8DIGGCEf+kwq+ZFb1LRxPGOFck8Qr2JS9rqdHbx+Mrmn+sxzk0Ozm9tFUmryKxIMct4fTiT0r6sD/LJyLQZPxH3IHYk36GLpqgOcjGLA3hFtkV41EjGuYNgLkB6ekG++kBHZtstmBNIyfOBmGOhy9BSJ8oAmjYzPP4ivKO7I=", "Group": "Default"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.0.RegSvcs.exe.400000.4.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              6.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                6.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  6.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\payment_advice.exe" , ParentImage: C:\Users\user\Desktop\payment_advice.exe, ParentProcessId: 6548, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5580
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\payment_advice.exe" , ParentImage: C:\Users\user\Desktop\payment_advice.exe, ParentProcessId: 6548, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5580

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: AsyncRAT {"Server": "185.222.57.80", "Ports": "6275", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "QezdxbEnAcR8YRyfVhhUW7fy58KZtsCM", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "20", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPsgY74fnNwbIPR6dDIAXTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwMTExMTUxMzQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImeGbwefUPZlenM9ZLOLyWoIfTUQbvfSf2I4aTtRtrJV0PvNEvbnGLJBVZe2Pl0/07x8Tk2rB11VhT66e/qyj/1GaK2lCocdlZY1I5bbDPiVaENZ3Pd4XFA00Am9axKENbivQzVj9NT8HlT1ymPK1utCLa7IWfmf5SR76DG8iaClYf0QiNFizdty7Bmhnc5ZS9xFI7tWzao+K0Ds7iD0IEQvKPWVAdssV/Y0rDXxcNcYo0iKDU4Qln8Hwgeuqh+ZFSgwwYnbDCfyKHO85s7GCD4MluE6vYBla1guC8SRWvRTIop+edRyivzmQ17cX+9K6W/UcReXkrNe4UEDbSKNzxwp65yTww4B95eJEXiKzrmNpPq1jEs8okWRoPluIKi2SEOMQcUwb6VcNamWQxwnW2WMPswRpcFVedgU0mUTs4AzLhUt8vhf5e3zAs5fYY7G2NtNMUzXgR2AkhbG30dIguSUFxCiyoXL15+Z4aKudbOycqydKoeGghHd9Lgl78N7mjNuM0Ti5YNeHltKbqEb10P5K4ZaSaWQe2FjTTY0/PjTqwUGouJcXg+vG6JYcsfFw4a6n3kivC7AOPYsdvMLuq+D3Rg/wrlo7ZfgzvkZojzjBboBRDbMi57Y8W77i+VEb81VlPwmTcbzP6dFcrfJVmVOgDRW3q96OD9HxfMXQxZAgMBAAGjMjAwMB0GA1UdDgQWBBTaL3HojDpid9l5Z4ww/A0enwsLHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA4PTTl66juqXrGz2R4fBZ1Dy3CfIL590qgWNuzGTkqR2uC54F9gG0bhexUBfK5OZp0ypmQlfRIRw5e6bXXmizGmHXGKdirG4dIiwK2hh/9ENP7D8nafAeIaB935RopQHSR6qXrbm2IiJFJySnfZLCnWADOPq0zy3YlD62JA07DNvEyQKq7v128VkpFPGzCIeFBxcbrLvadpEv71py3DwZJU+FYn2tqFBZPTtVkZcPIlSdG2+f5lp1FlgTZa+p+5pUYrLyH5KI3BZBLpZy29j1/Yy/x5N6eVi7zHNoin4VtMlx8oSKxNfx8C66palvTiw3/Ga9NVyWkvFO43ddgMsdAfJ0CryfKLaK3D9vfd1HgdH6AFB+lHh51ANUeNgRnlngCQ5NZL9PTOBywiHV9aPV1lQPUlbE9SLlmgZfXDzxxHOE+eHR+FpOumMxrEiUAn/x3xRN6jgq1opAJ8dgK1JRx76pC3eXPvyNmz6NPUaVb2oOI+nBDdnAyUWlOY84JrycPi8qt0HbL7FOMhwJKk3wE7zdL32h+bRhef2VediBaEnPI38ZNk6Nn7lYkSifkhOeDTHR2WMo5TNEM+bMpb66/kySmGBEY7f4w0R8190mxufBfIYKeimOunDuRukbKXpNEnmkSPoysVZP9r/KmF0iE57g6FDmfF5ixPsz7B4OS4A==", "ServerSignature": "HIVbYAPWifBLFM1dIsEfxbnVJ30YJJhWw82LHYtKmHEC3g/lAwZ5luRjZRWAz1JR169Sn8cJckChtzpnJtaXs6xUOq3xWorDyH9CxmCYqSkPU3OLjEtGBWOhUlAkUyMsAegVguFE9yC3QsL7d9ry54trgH3tAg6a34DzC51v1nMppCNNKptEDh0p2rg8s1IotSV6LVOItcGaHuTjpqfTeXeg/eAL7+fWNw5FMH5j+j5OpNOELl2Y9mbJvjzZ7v7Ff5YXkcEopiyWuEW9eIjuNyOrBU0a9H9MOaSN091fxYLVYDYWVxzt1PbJWRdyLWE00EVdejlfQipA45wZVidw9RxD2O67SVlBO5mm+KQd80ISK1fbp3hZ9hX9OyH//2OwJPiL61w1i5owalTZMVlQ13Gfv1pubixjVVvO7aZwGlmEqWrGDqlyElrefhfni7aWdPIbeBaD1LSv91pHDOTzmrr0nePUF66dkKLcs/BwygcY+XesKJQROtWzWrkFc+jmezq8DIGGCEf+kwq+ZFb1LRxPGOFck8Qr2JS9rqdHbx+Mrmn+sxzk0Ozm9tFUmryKxIMct4fTiT0r6sD/LJyLQZPxH3IHYk36GLpqgOcjGLA3hFtkV41EjGuYNgLkB6ekG++kBHZtstmBNIyfOBmGOhy9BSJ8oAmjYzPP4ivKO7I=", "Group": "Default"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: payment_advice.exeVirustotal: Detection: 24%Perma Link
                      Source: 6.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: payment_advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: payment_advice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: StoreAssemblyFileEnumerati.pdb source: payment_advice.exe

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.222.57.80:6275 -> 192.168.2.4:49780
                      Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                      Source: global trafficTCP traffic: 192.168.2.4:49780 -> 185.222.57.80:6275
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: RegSvcs.exe, 00000006.00000003.729913845.0000000004DAD000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729784959.0000000004D7A000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.730140141.0000000004DD1000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: RegSvcs.exe, 00000006.00000003.729391547.0000000004DFF000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729862344.0000000004DFD000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.730061783.0000000004DFD000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?783d96b3a4778
                      Source: RegSvcs.exe, 00000006.00000002.915733607.0000000000C19000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en~
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: payment_advice.exe, 00000000.00000003.655235756.0000000005A87000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: payment_advice.exe, 00000000.00000003.658699195.0000000005ABD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/.
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: payment_advice.exe, 00000000.00000003.659974688.0000000005ABD000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.660089261.0000000005ABD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com3
                      Source: payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: payment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: payment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnen
                      Source: payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: payment_advice.exe, 00000000.00000003.661723557.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661797055.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661694433.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661846411.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661760000.0000000005AB7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/==FL
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn.
                      Source: payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnKX

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Source: payment_advice.exe, 00000000.00000002.675710014.0000000000F80000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: payment_advice.exe
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: payment_advice.exeStatic file information: Suspicious name
                      Source: payment_advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6C9B40_2_00F6C9B4
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6EDF80_2_00F6EDF8
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6EDE90_2_00F6EDE9
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_07378C800_2_07378C80
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_07378C700_2_07378C70
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_073719D80_2_073719D8
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_073700060_2_07370006
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_073700400_2_07370040
                      Source: payment_advice.exeBinary or memory string: OriginalFilename vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.675291434.00000000007E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoreAssemblyFileEnumerati.exe0 vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.676514313.0000000003B99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.677656360.0000000007260000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.675710014.0000000000F80000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payment_advice.exe
                      Source: payment_advice.exeBinary or memory string: OriginalFilenameStoreAssemblyFileEnumerati.exe0 vs payment_advice.exe
                      Source: payment_advice.exeVirustotal: Detection: 24%
                      Source: payment_advice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\payment_advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\payment_advice.exe "C:\Users\user\Desktop\payment_advice.exe"
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment_advice.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/1
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: C:\Users\user\Desktop\payment_advice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Users\user\Desktop\payment_advice.exeMutant created: \Sessions\1\BaseNamedObjects\lVlVHIKo
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: payment_advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: payment_advice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: payment_advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: StoreAssemblyFileEnumerati.pdb source: payment_advice.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: payment_advice.exe, zB/HE.cs.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: payment_advice.exe, zB/HE.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6D118 pushad ; ret 0_2_00F6D11D
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_0737C8DE push dword ptr [edx+ebp*2-75h]; iretd 0_2_0737C8E7

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\payment_advice.exe TID: 1844Thread sleep time: -36067s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exe TID: 1680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1646Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8095Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeThread delayed: delay time: 36067Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000006.00000003.870591239.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916835494.0000000004E0A000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.731607572.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.763571335.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729974130.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915834995.0000000000CFD000.00000004.00000020.sdmp, RegSvcs.exe, 00000006.00000003.730070432.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.763654663.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.759536490.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729404106.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.761156327.0000000004E08000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000Jump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 702008Jump to behavior
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: RegSvcs.exe, 00000006.00000003.759450957.0000000004DAB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000003.731548600.0000000004DAB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916100896.00000000029CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916118306.00000000029D1000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916083911.00000000029C4000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916161929.00000000029ED000.00000004.00000001.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: RegSvcs.exe, 00000006.00000003.759450957.0000000004DAB000.00000004.00000001.sdmpBinary or memory string: Program ManagerB5210E87
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Users\user\Desktop\payment_advice.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection312Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information111LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing21Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      payment_advice.exe24%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
                      6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.founder.com.cn/cnen0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.zhongyicts.com.cn.0%VirustotalBrowse
                      http://www.zhongyicts.com.cn.0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cnKX0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/==FL0%Avira URL Cloudsafe
                      http://www.fontbureau.com30%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comalic0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0payment_advice.exe, 00000000.00000003.655235756.0000000005A87000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnenpayment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/bThepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                		high
                                http://www.zhongyicts.com.cn.payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerspayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnpayment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnKXpayment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlpayment_advice.exe, 00000000.00000003.659974688.0000000005ABD000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.660089261.0000000005ABD000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/==FLpayment_advice.exe, 00000000.00000003.661723557.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661797055.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661694433.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661846411.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661760000.0000000005AB7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com3payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comalicpayment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/.payment_advice.exe, 00000000.00000003.658699195.0000000005ABD000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.urwpp.deDPleasepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.como.payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.222.57.80
                                                		unknownNetherlands
                                                		51447ROOTLAYERNETNLtrue

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:553346
                                                Start date:14.01.2022
                                                Start time:18:19:21
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 6m 58s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:payment_advice.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:18
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/3@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                • Quality average: 28.7%
                                                • Quality standard deviation: 40.5%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 36
                                                • Number of non-executed functions: 6
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.49.150.241, 173.222.108.210, 173.222.108.226
                                                • Excluded domains from analysis (whitelisted): s-ring.msedge.net, wu-shim.trafficmanager.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, t-ring.msedge.net, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:20:19API Interceptor1x Sleep call for process: payment_advice.exe modified
                                                18:20:48API Interceptor1x Sleep call for process: RegSvcs.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                ROOTLAYERNETNLGLOBAL BUSINESS REGISTER.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                LllN46kyik.exeGet hashmaliciousBrowse
                                                • 185.222.57.71
                                                QUOTATION REQUEST DTD311221 - Mopcoms Turkey.xlsxGet hashmaliciousBrowse
                                                • 185.222.57.71
                                                DHLexpress Shipping DOCs.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                ANDOC FILE NO#0012.18.21.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                OUH1Ff9Hb8.rtfGet hashmaliciousBrowse
                                                • 185.222.57.154
                                                REVISED ORDER #001.2021..exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                Awb12152021_34527.xlsxGet hashmaliciousBrowse
                                                • 185.222.57.154
                                                PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                                • 185.222.57.153
                                                QPSHED-0421-0103r1 DOH XII_ORDER.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                4777_211122173928_001.xlsxGet hashmaliciousBrowse
                                                • 185.222.57.154
                                                INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                                • 185.222.57.142
                                                QPSHED-0421-0103r1 DOH XII_ORDER.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                PO.LHD-074787648AONMERF-WACA RESIP.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                Order PV2106938821.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                MR0763 OFFER.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                Order PV2106938821.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                PO 122821 FOB Xingang_China 20mt Sodium Benzoate.exeGet hashmaliciousBrowse
                                                • 185.222.58.151
                                                SWIFT Transfer(103) 001FTLC213200324.exeGet hashmaliciousBrowse
                                                • 45.137.22.79
                                                Scan_IMG-SWIFT_103_SKMBT2021-11-18.exeGet hashmaliciousBrowse
                                                • 45.137.22.143

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):61414
                                                Entropy (8bit):7.995245868798237
                                                Encrypted:true
                                                SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):328
                                                Entropy (8bit):3.1244568012511515
                                                Encrypted:false
                                                SSDEEP:6:kKDk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:79kPlE99SNxAhUeYlUSA/t
                                                MD5:1AD9D3C77987DE50D16FA98A6D04545D
                                                SHA1:C87624B50174BBAA7748B9902360A3DB8210A7FC
                                                SHA-256:C055B3399CD39B1D85853DA633FAB0B60D579D3FA65736DB2BD59163040D4F56
                                                SHA-512:4AD443D435E493D6B30B2B50E577A3D4948FF7922E1973F40CCB907F53F3A5C0AFEB69398C960723680158C233AE0750F1AB40F0D3DFF8366523F39ED1D47D93
                                                Malicious:false
                                                Reputation:low
                                                Preview: p...... ..........P.k...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment_advice.exe.log
                                                Process:C:\Users\user\Desktop\payment_advice.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1310
                                                Entropy (8bit):5.345651901398759
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.5940068786416095
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:payment_advice.exe
                                                File size:387584
                                                MD5:8c111a2fb2509662db26b214b72e4e36
                                                SHA1:1706e12b96c88c74b1551184770221ae90eded88
                                                SHA256:18dee23d492e67fd0644205091068422a7322f94f9028a4a85a87505e6003cb8
                                                SHA512:75f03d45240f22e92f3a6d0133de64ccb7e4d59d0b4eafbc8b44f668e7f3d98580cd486c36aaa110d7ee67b9aa3373b597e427c2c86a54b659e1ad880bc9cb87
                                                SSDEEP:6144:Dmd5K777777777777N7ErDnTsU9C1w4DZ4OrcY7UyEQ0LtGVvC7RRX:aK777777777777N7EPAUg1w4qgT0LU+
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-G.a............................>.... ........@.. .......................@............@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x45fc3e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x61E1472D [Fri Jan 14 09:49:33 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5fbf00x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x614.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x5fb960x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x5dc440x5de00False0.625301681092data6.61261885246IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x600000x6140x800False0.3349609375data3.4396261812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x620000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0x600a00x386data
                                                RT_MANIFEST0x604280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyright2022 Tradewell
                                                Assembly Version22.0.0.0
                                                InternalNameStoreAssemblyFileEnumerati.exe
                                                FileVersion1.1.0.0
                                                CompanyNameTradewell ltd
                                                LegalTrademarks
                                                CommentsPurple Org
                                                ProductNameBlaster
                                                ProductVersion1.1.0.0
                                                FileDescriptionBlaster
                                                OriginalFilenameStoreAssemblyFileEnumerati.exe

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/14/22-18:20:48.001691TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)627549780185.222.57.80192.168.2.4

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 14, 2022 18:20:47.891983986 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:47.917207956 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:47.917334080 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:47.960899115 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:48.001691103 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:48.001758099 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:48.001828909 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:48.006659985 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:48.047681093 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:48.100184917 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:50.539506912 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:50.603554964 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:50.604002953 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:50.791296959 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.380656004 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:04.494256020 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.494432926 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:04.529613972 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.585972071 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:04.609246969 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.664005041 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.136667967 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:05.179666996 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.202220917 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:05.242125034 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.472630978 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.605998039 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:05.606187105 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.791088104 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.465295076 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.603542089 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.604003906 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.685655117 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.743084908 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.767101049 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.821203947 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.863243103 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.994240999 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.995747089 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:17.103569984 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.445319891 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.603492022 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.603637934 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.683731079 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.728677034 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.751570940 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.792650938 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.900291920 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.900453091 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.994173050 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:35.131211042 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:35.182224035 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:35.204803944 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:35.260271072 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.390114069 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.494302034 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.494388103 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.561499119 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.604996920 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.627441883 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.672302008 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.791254997 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.791373014 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.900389910 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.363430023 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.494772911 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.494976997 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.544169903 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.590234995 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.615206003 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.668262005 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.687436104 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.791150093 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.791282892 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.900783062 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:05.130848885 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:05.184860945 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:05.207906961 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:05.262793064 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.254302979 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.400650978 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.405997992 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.449529886 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.497431993 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.520143032 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.575603008 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.739103079 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.900337934 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.901010036 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.994239092 CET627549780185.222.57.80192.168.2.4

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: payment_advice.exe PID: 6548 Parent PID: 6588

                                                General

                                                Start time:18:20:11
                                                Start date:14/01/2022
                                                Path:C:\Users\user\Desktop\payment_advice.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\payment_advice.exe"
                                                Imagebase:0x7e0000
                                                File size:387584 bytes
                                                MD5 hash:8C111A2FB2509662DB26B214B72E4E36
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: RegSvcs.exe PID: 5580 Parent PID: 6548

                                                General

                                                Start time:18:20:20
                                                Start date:14/01/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x1c0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: RegSvcs.exe PID: 6872 Parent PID: 6548

                                                General

                                                Start time:18:20:21
                                                Start date:14/01/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x50000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: RegSvcs.exe PID: 4204 Parent PID: 6548

                                                General

                                                Start time:18:20:21
                                                Start date:14/01/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x4a0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: payment_advice.exe PID: 6548 Parent PID: 6588 payment_advice.exeCOMMON

                                                  Execution Graph

                                                  Execution Coverage:11.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:4.6%
                                                  Total number of Nodes:259
                                                  Total number of Limit Nodes:22

                                                  Graph

                                                  execution_graph 22969 f63e50 22970 f63e6c 22969->22970 22971 f63f2f 22970->22971 22974 f64018 22970->22974 22979 f639f0 22970->22979 22975 f6403d 22974->22975 22983 f64118 22975->22983 22987 f64109 22975->22987 22982 f639fb 22979->22982 22980 f6725f 22980->22970 22982->22980 22995 f66d38 22982->22995 22985 f6413f 22983->22985 22984 f6421c 22984->22984 22985->22984 22991 f63e30 22985->22991 22988 f6413f 22987->22988 22989 f63e30 CreateActCtxA 22988->22989 22990 f6421c 22988->22990 22989->22990 22992 f655a8 CreateActCtxA 22991->22992 22994 f6566b 22992->22994 22996 f66d43 22995->22996 22999 f66d58 22996->22999 22998 f67335 22998->22982 23000 f66d63 22999->23000 23003 f66d88 23000->23003 23002 f6741a 23002->22998 23004 f66d93 23003->23004 23007 f66db8 23004->23007 23006 f6750a 23006->23002 23008 f66dc3 23007->23008 23010 f67c1e 23008->23010 23013 f699d8 23008->23013 23009 f67c5c 23009->23006 23010->23009 23017 f6bb31 23010->23017 23022 f69a10 23013->23022 23025 f69a09 23013->23025 23014 f699ee 23014->23010 23018 f6bb61 23017->23018 23019 f6bb85 23018->23019 23049 f6bde7 23018->23049 23053 f6bdf8 23018->23053 23019->23009 23029 f69f10 23022->23029 23023 f69a1f 23023->23014 23026 f69a10 23025->23026 23028 f69f10 2 API calls 23026->23028 23027 f69a1f 23027->23014 23028->23027 23030 f69f23 23029->23030 23031 f69f3b 23030->23031 23037 f6a198 23030->23037 23041 f6a188 23030->23041 23031->23023 23032 f69f33 23032->23031 23033 f6a138 GetModuleHandleW 23032->23033 23034 f6a165 23033->23034 23034->23023 23038 f6a1ac 23037->23038 23040 f6a1d1 23038->23040 23045 f69b28 23038->23045 23040->23032 23042 f6a1ac 23041->23042 23043 f6a1d1 23042->23043 23044 f69b28 LoadLibraryExW 23042->23044 23043->23032 23044->23043 23046 f6a378 LoadLibraryExW 23045->23046 23048 f6a3f1 23046->23048 23048->23040 23050 f6be05 23049->23050 23052 f6be3f 23050->23052 23057 f69e28 23050->23057 23052->23019 23054 f6be05 23053->23054 23055 f69e28 2 API calls 23054->23055 23056 f6be3f 23054->23056 23055->23056 23056->23019 23058 f69e33 23057->23058 23059 f6cb38 23058->23059 23061 f6c6f8 23058->23061 23062 f6c703 23061->23062 23063 f66db8 2 API calls 23062->23063 23064 f6cba7 23063->23064 23068 f6e918 23064->23068 23073 f6e930 23064->23073 23065 f6cbe0 23065->23059 23069 f6e930 23068->23069 23070 f6e96d 23069->23070 23071 f6edb0 LoadLibraryExW GetModuleHandleW 23069->23071 23072 f6eda0 LoadLibraryExW GetModuleHandleW 23069->23072 23070->23065 23071->23070 23072->23070 23075 f6e961 23073->23075 23076 f6e9ad 23073->23076 23074 f6e96d 23074->23065 23075->23074 23077 f6edb0 LoadLibraryExW GetModuleHandleW 23075->23077 23078 f6eda0 LoadLibraryExW GetModuleHandleW 23075->23078 23076->23065 23077->23076 23078->23076 23079 f6bf10 GetCurrentProcess 23080 f6bf83 23079->23080 23081 f6bf8a GetCurrentThread 23079->23081 23080->23081 23082 f6bfc7 GetCurrentProcess 23081->23082 23083 f6bfc0 23081->23083 23084 f6bffd 23082->23084 23083->23082 23085 f6c025 GetCurrentThreadId 23084->23085 23086 f6c056 23085->23086 23087 7377690 23089 73776b2 23087->23089 23088 7377bfe 23089->23088 23093 7378833 23089->23093 23112 737888f 23089->23112 23119 7378840 23089->23119 23094 737883a 23093->23094 23095 73788b9 23093->23095 23097 7378833 12 API calls 23094->23097 23125 73788a0 23094->23125 23139 737889e 23094->23139 23110 73788fd 23095->23110 23153 73797d5 23095->23153 23163 7378fb6 23095->23163 23170 737944f 23095->23170 23174 7378ef1 23095->23174 23181 7378c80 23095->23181 23191 73797b8 23095->23191 23198 73794ee 23095->23198 23211 7379702 23095->23211 23215 73793e2 23095->23215 23219 7378c70 23095->23219 23229 7379155 23095->23229 23096 7378888 23096->23089 23097->23096 23110->23089 23113 7378853 23112->23113 23114 7378893 23112->23114 23116 7378833 12 API calls 23113->23116 23117 73788a0 12 API calls 23113->23117 23118 737889e 12 API calls 23113->23118 23114->23089 23115 7378888 23115->23089 23116->23115 23117->23115 23118->23115 23120 737885a 23119->23120 23122 7378833 12 API calls 23120->23122 23123 73788a0 12 API calls 23120->23123 23124 737889e 12 API calls 23120->23124 23121 7378888 23121->23089 23122->23121 23123->23121 23124->23121 23126 73788bd 23125->23126 23127 7378fb6 4 API calls 23126->23127 23128 73797d5 4 API calls 23126->23128 23129 7379155 4 API calls 23126->23129 23130 7379702 2 API calls 23126->23130 23131 73793e2 2 API calls 23126->23131 23132 7378ef1 4 API calls 23126->23132 23133 7378c70 6 API calls 23126->23133 23134 7378c80 6 API calls 23126->23134 23135 737944f 2 API calls 23126->23135 23136 73794ee 8 API calls 23126->23136 23137 73788fd 23126->23137 23138 73797b8 4 API calls 23126->23138 23127->23137 23128->23137 23129->23137 23130->23137 23131->23137 23132->23137 23133->23137 23134->23137 23135->23137 23136->23137 23137->23096 23138->23137 23140 73788bd 23139->23140 23141 7378fb6 4 API calls 23140->23141 23142 73797d5 4 API calls 23140->23142 23143 7379155 4 API calls 23140->23143 23144 7379702 2 API calls 23140->23144 23145 73793e2 2 API calls 23140->23145 23146 7378ef1 4 API calls 23140->23146 23147 7378c70 6 API calls 23140->23147 23148 7378c80 6 API calls 23140->23148 23149 737944f 2 API calls 23140->23149 23150 73794ee 8 API calls 23140->23150 23151 73788fd 23140->23151 23152 73797b8 4 API calls 23140->23152 23141->23151 23142->23151 23143->23151 23144->23151 23145->23151 23146->23151 23147->23151 23148->23151 23149->23151 23150->23151 23151->23096 23152->23151 23154 73797de 23153->23154 23157 7377080 WriteProcessMemory 23154->23157 23158 7377078 WriteProcessMemory 23154->23158 23155 7379906 23155->23110 23156 7379014 23156->23155 23236 7377080 23156->23236 23240 7377078 23156->23240 23244 7376e33 23156->23244 23248 7376e38 23156->23248 23157->23156 23158->23156 23164 7378fd8 23163->23164 23165 7379906 23164->23165 23166 7377080 WriteProcessMemory 23164->23166 23167 7377078 WriteProcessMemory 23164->23167 23168 7376e33 ResumeThread 23164->23168 23169 7376e38 ResumeThread 23164->23169 23165->23110 23166->23164 23167->23164 23168->23164 23169->23164 23172 7377080 WriteProcessMemory 23170->23172 23173 7377078 WriteProcessMemory 23170->23173 23171 7379473 23172->23171 23173->23171 23176 7378f07 23174->23176 23175 7379906 23175->23110 23176->23175 23177 7377080 WriteProcessMemory 23176->23177 23178 7377078 WriteProcessMemory 23176->23178 23179 7376e33 ResumeThread 23176->23179 23180 7376e38 ResumeThread 23176->23180 23177->23176 23178->23176 23179->23176 23180->23176 23182 7378cb3 23181->23182 23252 73772fc 23182->23252 23256 7377308 23182->23256 23193 7378f61 23191->23193 23192 7379906 23192->23110 23193->23192 23194 7376e33 ResumeThread 23193->23194 23195 7376e38 ResumeThread 23193->23195 23196 7377080 WriteProcessMemory 23193->23196 23197 7377078 WriteProcessMemory 23193->23197 23194->23193 23195->23193 23196->23193 23197->23193 23199 73794f7 23198->23199 23200 7379512 23198->23200 23260 7376ee0 23199->23260 23265 7376ee8 23199->23265 23269 7377168 23200->23269 23273 7377170 23200->23273 23201 7379906 23201->23110 23202 7378f61 23202->23201 23203 7376e33 ResumeThread 23202->23203 23204 7376e38 ResumeThread 23202->23204 23209 7377080 WriteProcessMemory 23202->23209 23210 7377078 WriteProcessMemory 23202->23210 23203->23202 23204->23202 23209->23202 23210->23202 23213 7376ee0 SetThreadContext 23211->23213 23214 7376ee8 SetThreadContext 23211->23214 23212 7379725 23213->23212 23214->23212 23277 7376fc0 23215->23277 23281 7376fbb 23215->23281 23216 7379400 23220 7378c80 23219->23220 23225 73772fc CreateProcessA 23220->23225 23226 7377308 CreateProcessA 23220->23226 23221 7379906 23221->23110 23222 7378ec8 23222->23221 23223 7377080 WriteProcessMemory 23222->23223 23224 7377078 WriteProcessMemory 23222->23224 23227 7376e33 ResumeThread 23222->23227 23228 7376e38 ResumeThread 23222->23228 23223->23222 23224->23222 23225->23222 23226->23222 23227->23222 23228->23222 23231 7379014 23229->23231 23230 7379906 23230->23110 23231->23230 23232 7376e33 ResumeThread 23231->23232 23233 7376e38 ResumeThread 23231->23233 23234 7377080 WriteProcessMemory 23231->23234 23235 7377078 WriteProcessMemory 23231->23235 23232->23231 23233->23231 23234->23231 23235->23231 23237 73770c8 WriteProcessMemory 23236->23237 23239 737711f 23237->23239 23239->23156 23241 73770c8 WriteProcessMemory 23240->23241 23243 737711f 23241->23243 23243->23156 23245 7376e38 ResumeThread 23244->23245 23247 7376ea9 23245->23247 23247->23156 23249 7376e78 ResumeThread 23248->23249 23251 7376ea9 23249->23251 23251->23156 23253 7377391 CreateProcessA 23252->23253 23255 7377553 23253->23255 23255->23255 23257 7377391 CreateProcessA 23256->23257 23259 7377553 23257->23259 23259->23259 23261 7376ee3 SetThreadContext 23260->23261 23262 7376ea3 23260->23262 23264 7376f75 23261->23264 23262->23200 23264->23200 23266 7376f2d SetThreadContext 23265->23266 23268 7376f75 23266->23268 23268->23200 23270 73771bb ReadProcessMemory 23269->23270 23272 73771ff 23270->23272 23272->23202 23274 73771bb ReadProcessMemory 23273->23274 23276 73771ff 23274->23276 23276->23202 23278 7377000 VirtualAllocEx 23277->23278 23280 737703d 23278->23280 23280->23216 23282 7376fc0 VirtualAllocEx 23281->23282 23284 737703d 23282->23284 23284->23216 23285 f6c138 DuplicateHandle 23286 f6c1ce 23285->23286 23287 7379dc8 23288 7379f53 23287->23288 23289 7379dee 23287->23289 23289->23288 23293 737a040 23289->23293 23296 737a048 23289->23296 23299 737a0db 23289->23299 23294 737a072 PostMessageW 23293->23294 23295 737a0b4 23294->23295 23295->23289 23297 737a072 PostMessageW 23296->23297 23298 737a0b4 23297->23298 23298->23289 23300 737a072 PostMessageW 23299->23300 23302 737a0e2 23299->23302 23301 737a0b4 23300->23301 23301->23289

                                                  Executed Functions

                                                  Function 07378C80, Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 258 7378c80-7378cb1 259 7378cb3 258->259 260 7378cb8-7378d1d 258->260 259->260 261 7378d38-7378d3c 260->261 262 7378d1f-7378d31 261->262 263 7378d3e-7378d66 call 7377fb0 261->263 262->261 265 7378d33 262->265 267 7378e2f-7378e3a 263->267 268 7378d6c-7378d87 263->268 265->261 270 7378e1a-7378e23 267->270 271 7378e3c-7378e3d 267->271 269 7378d8d-7378da4 268->269 268->270 274 7378e42-7378e81 269->274 275 7378daa-7378db5 269->275 272 7378e25 270->272 273 7378e2c-7378e2d 270->273 271->269 272->269 272->271 272->273 276 7378db7-7378e18 272->276 277 7378e96-7378ec3 272->277 278 7378e83-7378e94 272->278 273->277 274->270 274->278 275->270 276->273 325 7378ec6 call 73772fc 277->325 326 7378ec6 call 7377308 277->326 278->270 279 7378ec8-7378eec 281 7379014-737903e 279->281 282 73792a8-73792b1 279->282 331 7379041 call 7377080 281->331 332 7379041 call 7377078 281->332 284 73792b3 282->284 285 73792ba-73792e2 call 7377fb0 282->285 284->281 286 73791d3-73791da 284->286 287 73792f2-73792f9 284->287 288 7379270-7379279 284->288 289 737936e 284->289 290 7379089-73790eb 284->290 285->282 309 73792e4-73792f0 285->309 298 7379202-7379212 286->298 299 73791dc-73791f7 286->299 295 7379321-737933b 287->295 296 73792fb-7379316 287->296 294 7379187-73791a3 288->294 329 737936e call 7379d69 289->329 330 737936e call 7379d78 289->330 305 737917c-7379181 290->305 321 73790f1-73790f8 290->321 292 7379043-7379063 300 737917b 292->300 301 7379069-7379083 292->301 307 737927e-73792a2 294->307 308 73791a9-73791ce 294->308 303 7379906-7379967 295->303 304 7379341-7379369 295->304 296->295 327 7379215 call 7376e33 298->327 328 7379215 call 7376e38 298->328 299->298 300->305 301->282 301->290 304->282 305->294 306 7379374-737937f 306->282 307->282 308->282 309->282 309->287 311 7379217-7379231 311->287 323 7379102-737912f 321->323 323->282 324 7379135-7379150 323->324 324->282 325->279 326->279 327->311 328->311 329->306 330->306 331->292 332->292
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (
                                                  • API String ID: 0-3887548279
                                                  • Opcode ID: 567bb27298b28c3c99d7b340c1dc18d87f585aaf6b1c6e7457f00637845dd2a7
                                                  • Instruction ID: bb4e6da87c8338c57062094a9bf5b23f0b5a1110007677bd82def2cea5ae6421
                                                  • Opcode Fuzzy Hash: 567bb27298b28c3c99d7b340c1dc18d87f585aaf6b1c6e7457f00637845dd2a7
                                                  • Instruction Fuzzy Hash: 24E1E0B1D04229CFEB24DF65C944BEDBBB6AB8A304F1086EAD50DA7250DB745AC4CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07378C70, Relevance: .3, Instructions: 273COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: feaa1e3933ef6e85b6fce8764714ceb6ecb737e81f866ffacdb68ac8a7946b25
                                                  • Instruction ID: f12dcd19b7f54a3f93d82894fd6f7ba9b33a7573c9f0ea254337b594553a4cd3
                                                  • Opcode Fuzzy Hash: feaa1e3933ef6e85b6fce8764714ceb6ecb737e81f866ffacdb68ac8a7946b25
                                                  • Instruction Fuzzy Hash: 88D1F1B1D04229CFEB24DF65C944BEDBBB6BB49304F0081EAD50DA7291DB789A85CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6BF00, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00F6BF70
                                                  • GetCurrentThread.KERNEL32 ref: 00F6BFAD
                                                  • GetCurrentProcess.KERNEL32 ref: 00F6BFEA
                                                  • GetCurrentThreadId.KERNEL32 ref: 00F6C043
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: bfdfc1a4cc85f19a7ea3fb90d772f48d6deb5a89b17487c65aa20273aea8dfc4
                                                  • Instruction ID: dbeec02abcdfb1f3b9a8edc5420dbb30226106c6b2eb19fee45ef4bf46dae0d4
                                                  • Opcode Fuzzy Hash: bfdfc1a4cc85f19a7ea3fb90d772f48d6deb5a89b17487c65aa20273aea8dfc4
                                                  • Instruction Fuzzy Hash: CE5157B09047489FDB24CFA9DA487EEBBF0EF49314F24845AE059A72A1C7749884CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6BF10, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 00F6BF70
                                                  • GetCurrentThread.KERNEL32 ref: 00F6BFAD
                                                  • GetCurrentProcess.KERNEL32 ref: 00F6BFEA
                                                  • GetCurrentThreadId.KERNEL32 ref: 00F6C043
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: a36693d4402251fa1deae308425224038cb397e4be18cfde875f7f874cdbf0df
                                                  • Instruction ID: e2b802f19a5129fc3fe13e3f265aeea990e356c3eca805da5752f9557baa03f4
                                                  • Opcode Fuzzy Hash: a36693d4402251fa1deae308425224038cb397e4be18cfde875f7f874cdbf0df
                                                  • Instruction Fuzzy Hash: 625146B09007499FDB24CFA9E9487EEBBF4EF48314F24845AE059A72A1C7749884CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 073772FC, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 38 73772fc-737739d 40 73773d6-73773f6 38->40 41 737739f-73773a9 38->41 46 737742f-737745e 40->46 47 73773f8-7377402 40->47 41->40 42 73773ab-73773ad 41->42 44 73773d0-73773d3 42->44 45 73773af-73773b9 42->45 44->40 48 73773bd-73773cc 45->48 49 73773bb 45->49 57 7377497-7377551 CreateProcessA 46->57 58 7377460-737746a 46->58 47->46 50 7377404-7377406 47->50 48->48 51 73773ce 48->51 49->48 52 7377429-737742c 50->52 53 7377408-7377412 50->53 51->44 52->46 55 7377416-7377425 53->55 56 7377414 53->56 55->55 59 7377427 55->59 56->55 69 7377553-7377559 57->69 70 737755a-73775e0 57->70 58->57 60 737746c-737746e 58->60 59->52 62 7377491-7377494 60->62 63 7377470-737747a 60->63 62->57 64 737747e-737748d 63->64 65 737747c 63->65 64->64 66 737748f 64->66 65->64 66->62 69->70 80 73775e2-73775e6 70->80 81 73775f0-73775f4 70->81 80->81 82 73775e8 80->82 83 73775f6-73775fa 81->83 84 7377604-7377608 81->84 82->81 83->84 85 73775fc 83->85 86 737760a-737760e 84->86 87 7377618-737761c 84->87 85->84 86->87 88 7377610 86->88 89 737762e-7377635 87->89 90 737761e-7377624 87->90 88->87 91 7377637-7377646 89->91 92 737764c 89->92 90->89 91->92 94 737764d 92->94 94->94
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0737753E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 634d26385e8672adc293050301f51572d26f252d441859f6a7242867cbdb9ec7
                                                  • Instruction ID: 7a5190dd4dde9927098a57b5171d4ef689c95d311b5acfad23c8fb51bd915b35
                                                  • Opcode Fuzzy Hash: 634d26385e8672adc293050301f51572d26f252d441859f6a7242867cbdb9ec7
                                                  • Instruction Fuzzy Hash: CBA152B1D00629DFEF20CFA8C8417DEBBB2BF44314F148569D849A7250DB799985CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07377308, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 95 7377308-737739d 97 73773d6-73773f6 95->97 98 737739f-73773a9 95->98 103 737742f-737745e 97->103 104 73773f8-7377402 97->104 98->97 99 73773ab-73773ad 98->99 101 73773d0-73773d3 99->101 102 73773af-73773b9 99->102 101->97 105 73773bd-73773cc 102->105 106 73773bb 102->106 114 7377497-7377551 CreateProcessA 103->114 115 7377460-737746a 103->115 104->103 107 7377404-7377406 104->107 105->105 108 73773ce 105->108 106->105 109 7377429-737742c 107->109 110 7377408-7377412 107->110 108->101 109->103 112 7377416-7377425 110->112 113 7377414 110->113 112->112 116 7377427 112->116 113->112 126 7377553-7377559 114->126 127 737755a-73775e0 114->127 115->114 117 737746c-737746e 115->117 116->109 119 7377491-7377494 117->119 120 7377470-737747a 117->120 119->114 121 737747e-737748d 120->121 122 737747c 120->122 121->121 123 737748f 121->123 122->121 123->119 126->127 137 73775e2-73775e6 127->137 138 73775f0-73775f4 127->138 137->138 139 73775e8 137->139 140 73775f6-73775fa 138->140 141 7377604-7377608 138->141 139->138 140->141 142 73775fc 140->142 143 737760a-737760e 141->143 144 7377618-737761c 141->144 142->141 143->144 145 7377610 143->145 146 737762e-7377635 144->146 147 737761e-7377624 144->147 145->144 148 7377637-7377646 146->148 149 737764c 146->149 147->146 148->149 151 737764d 149->151 151->151
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0737753E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 35acbc61f71741fa52d18c497c3c5873989e024e632566f101dfce71055a3a45
                                                  • Instruction ID: 1347489c7037d5788b9388eb0ce4b5ff16500febd0d26f49f02e12fa63248e7d
                                                  • Opcode Fuzzy Hash: 35acbc61f71741fa52d18c497c3c5873989e024e632566f101dfce71055a3a45
                                                  • Instruction Fuzzy Hash: E0914FB1D00229DFEF20CFA8C8417DEBBB2BF44314F148569D809A7250DB799985CF92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F69F10, Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 152 f69f10-f69f25 call f68a8c 155 f69f27 152->155 156 f69f3b-f69f3f 152->156 205 f69f2d call f6a198 155->205 206 f69f2d call f6a188 155->206 157 f69f53-f69f94 156->157 158 f69f41-f69f4b 156->158 163 f69f96-f69f9e 157->163 164 f69fa1-f69faf 157->164 158->157 159 f69f33-f69f35 159->156 160 f6a070-f6a130 159->160 200 f6a132-f6a135 160->200 201 f6a138-f6a163 GetModuleHandleW 160->201 163->164 166 f69fd3-f69fd5 164->166 167 f69fb1-f69fb6 164->167 170 f69fd8-f69fdf 166->170 168 f69fc1 167->168 169 f69fb8-f69fbf call f68a98 167->169 172 f69fc3-f69fd1 168->172 169->172 173 f69fe1-f69fe9 170->173 174 f69fec-f69ff3 170->174 172->170 173->174 177 f69ff5-f69ffd 174->177 178 f6a000-f6a009 call f68aa8 174->178 177->178 183 f6a016-f6a01b 178->183 184 f6a00b-f6a013 178->184 185 f6a01d-f6a024 183->185 186 f6a039-f6a046 183->186 184->183 185->186 187 f6a026-f6a036 call f68ab8 call f69afc 185->187 193 f6a048-f6a066 186->193 194 f6a069-f6a06f 186->194 187->186 193->194 200->201 202 f6a165-f6a16b 201->202 203 f6a16c-f6a180 201->203 202->203 205->159 206->159
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00F6A156
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 58ee852993daf776b97f032b9c34ba1cdba92d9cb5141aa18a10206861f9aa57
                                                  • Instruction ID: 56528cb9df21f120c7638492a7cf4abaea2e328cb4c42d769f9889207a3e1621
                                                  • Opcode Fuzzy Hash: 58ee852993daf776b97f032b9c34ba1cdba92d9cb5141aa18a10206861f9aa57
                                                  • Instruction Fuzzy Hash: F7713470A00B059FDB24DF6AD44076ABBF5FF48314F008A2EE44ADBA50DB75E9458F91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6559C, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 207 f6559c-f65669 CreateActCtxA 209 f65672-f656cc 207->209 210 f6566b-f65671 207->210 217 f656ce-f656d1 209->217 218 f656db-f656df 209->218 210->209 217->218 219 f656f0 218->219 220 f656e1-f656ed 218->220 222 f656f1 219->222 220->219 222->222
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00F65659
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: c9faa78f917db9cea8f58f67869583e7294e2d2c6b56b69d34b259a2dd9295da
                                                  • Instruction ID: 398050fe76c3fa54413708cbaf4a21d444a022ae6542e163d72a181b15682aa6
                                                  • Opcode Fuzzy Hash: c9faa78f917db9cea8f58f67869583e7294e2d2c6b56b69d34b259a2dd9295da
                                                  • Instruction Fuzzy Hash: 8541E0B1C00618CFDB24CFA9C8447DEBBB5BF89318F20846AD408AB251DB756946CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F63E30, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 223 f63e30-f65669 CreateActCtxA 226 f65672-f656cc 223->226 227 f6566b-f65671 223->227 234 f656ce-f656d1 226->234 235 f656db-f656df 226->235 227->226 234->235 236 f656f0 235->236 237 f656e1-f656ed 235->237 239 f656f1 236->239 237->236 239->239
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00F65659
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: dee76e339fcadc9ee17760b769625f279a146420fac89d779ccd7913dbb62957
                                                  • Instruction ID: f260a7ed250c5f7c64eae8899a0d6d2f172d01ba0131d98c8038cdeabe28302a
                                                  • Opcode Fuzzy Hash: dee76e339fcadc9ee17760b769625f279a146420fac89d779ccd7913dbb62957
                                                  • Instruction Fuzzy Hash: F741E271C00618CFDB24CFA9C9447CEBBB5BF89704F208569D409BB251DB756946CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07376EE0, Relevance: 1.6, APIs: 1, Instructions: 85threadinjectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 240 7376ee0-7376ee1 241 7376ea3-7376ea7 240->241 242 7376ee3-7376f33 240->242 243 7376eb0-7376ed5 241->243 244 7376ea9-7376eaf 241->244 249 7376f35-7376f41 242->249 250 7376f43-7376f73 SetThreadContext 242->250 244->243 249->250 253 7376f75-7376f7b 250->253 254 7376f7c-7376fac 250->254 253->254
                                                  APIs
                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 07376F66
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: ef47f6be9261a5d61aaef718d0d9dfed545d04ea520e25fe3c03bd3700f32910
                                                  • Instruction ID: 587630c5650de4b421e8605b79c5cf3fb941bb71169e9221f9d9e6acb04fde73
                                                  • Opcode Fuzzy Hash: ef47f6be9261a5d61aaef718d0d9dfed545d04ea520e25fe3c03bd3700f32910
                                                  • Instruction Fuzzy Hash: E5315CB2D047098FDB10DFA9D8457EEBBF5EF88224F14842AD519B7640CB78A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0737A0DB, Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 333 737a0db-737a0e0 334 737a072-737a0b2 PostMessageW 333->334 335 737a0e2-737a10d 333->335 336 737a0b4-737a0ba 334->336 337 737a0bb-737a0cf 334->337 338 737a114-737a127 335->338 339 737a10f 335->339 336->337 342 737a129-737a136 338->342 343 737a138-737a153 338->343 339->338 342->343 346 737a155 343->346 347 737a15d 343->347 346->347 348 737a15e 347->348 348->348
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 0737A0A5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 88570b1db020154c36d048b1f40ef33f5abdfcfeeca00b9de09873d5027c2fcf
                                                  • Instruction ID: ce781d56a33e860837445e0f7640f4e8a214d2c06582cfe304ed42e3b3a90e4a
                                                  • Opcode Fuzzy Hash: 88570b1db020154c36d048b1f40ef33f5abdfcfeeca00b9de09873d5027c2fcf
                                                  • Instruction Fuzzy Hash: D3218DB59042199FEB20CFA8D945BEEBBF4BB89304F108459D908B7240C7799904CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07377078, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 349 7377078-73770ce 351 73770d0-73770dc 349->351 352 73770de-737711d WriteProcessMemory 349->352 351->352 354 7377126-7377156 352->354 355 737711f-7377125 352->355 355->354
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07377110
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: b4f8524d3e900973a066770956e43f4ed9bde38fcb0128d9ba0585a61174d193
                                                  • Instruction ID: 53f45bd0659beb023c91484ddd9f1f9532c880572f0aabf0d4185b7044bbf9ae
                                                  • Opcode Fuzzy Hash: b4f8524d3e900973a066770956e43f4ed9bde38fcb0128d9ba0585a61174d193
                                                  • Instruction Fuzzy Hash: 192157B59003499FDB10CFA9C884BDEBBF5FF48314F10842AE918A7240C7789944DFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07377080, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 359 7377080-73770ce 361 73770d0-73770dc 359->361 362 73770de-737711d WriteProcessMemory 359->362 361->362 364 7377126-7377156 362->364 365 737711f-7377125 362->365 365->364
                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07377110
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 079c788df3557c3c6557dac1c62d9177cdad63f7551b8c5955aa1c5e3cb495c1
                                                  • Instruction ID: 893a458970a7879230df1b131ade75ba9d619021a857b9c6ffc44bd6ebf9c413
                                                  • Opcode Fuzzy Hash: 079c788df3557c3c6557dac1c62d9177cdad63f7551b8c5955aa1c5e3cb495c1
                                                  • Instruction Fuzzy Hash: 0B2125B19003499FDB10CFA9C884BDEBBF5FF48314F10882AE919A7240C778A954DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07376EE8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 369 7376ee8-7376f33 371 7376f35-7376f41 369->371 372 7376f43-7376f73 SetThreadContext 369->372 371->372 374 7376f75-7376f7b 372->374 375 7376f7c-7376fac 372->375 374->375
                                                  APIs
                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 07376F66
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: 794fb496f8100f3ad37108374b9b6b09277a4f2e0ea29f3efe34f0ff5102001e
                                                  • Instruction ID: f3c847c86c5a7b3f27d7f160593776228f7d673c6b6b255906aa3eed033aa7ac
                                                  • Opcode Fuzzy Hash: 794fb496f8100f3ad37108374b9b6b09277a4f2e0ea29f3efe34f0ff5102001e
                                                  • Instruction Fuzzy Hash: 262138B1D003098FDB10CFAAC4857EEBBF4EF48224F14842ED419A7240CB78A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07377170, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 387 7377170-73771fd ReadProcessMemory 390 7377206-7377236 387->390 391 73771ff-7377205 387->391 391->390
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073771F0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 06951603e912de62894ee42e2702c58af6e3de98946afb2265258ba119521f6a
                                                  • Instruction ID: 13a0227eba97f1e71c329004f55fadd210ef0f88e672f814f35d48b55c6630bb
                                                  • Opcode Fuzzy Hash: 06951603e912de62894ee42e2702c58af6e3de98946afb2265258ba119521f6a
                                                  • Instruction Fuzzy Hash: 122128B1D003599FCB10CFA9D884BDEBBF5FF48314F10842AE519A7240C7389944DBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07377168, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 379 7377168-73771fd ReadProcessMemory 382 7377206-7377236 379->382 383 73771ff-7377205 379->383 383->382
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073771F0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 8abcd72dab452c26ede9082e67625c359147254b01c91432c94c89745d73e779
                                                  • Instruction ID: 5764af941b76088af0747f1c111e9d904a2a716bc904071e128e1e1a0921dc27
                                                  • Opcode Fuzzy Hash: 8abcd72dab452c26ede9082e67625c359147254b01c91432c94c89745d73e779
                                                  • Instruction Fuzzy Hash: BC2114B19003599FDB10CFA9D880BEEBBF5FF48314F14882AE959A7240C7389945DBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6C131, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F6C1BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 011ebdc26d4c152b112af8e8ed3eff1a996700e2a2e8dd38b17718090e0852b1
                                                  • Instruction ID: 91442190d034405811b3096be9949922b0bdcdc23b4d863d57dcd6f6e5337091
                                                  • Opcode Fuzzy Hash: 011ebdc26d4c152b112af8e8ed3eff1a996700e2a2e8dd38b17718090e0852b1
                                                  • Instruction Fuzzy Hash: 882103B5D00208AFDB10CF99D984AEEBBF4FF08324F14851AE958A3211D378A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6C138, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F6C1BF
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: a6a8369a7594b2522d7423abc2e14ce6ce2996001968e089eb17addefb797945
                                                  • Instruction ID: 9ff0ef69427e22ca2be942e8643cfff601e4db2de04705636be6e147ac912314
                                                  • Opcode Fuzzy Hash: a6a8369a7594b2522d7423abc2e14ce6ce2996001968e089eb17addefb797945
                                                  • Instruction Fuzzy Hash: 4421F5B5D002089FDB10CF99D984ADEBFF4FB48320F14841AE954A3311D378A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F69B28, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F6A1D1,00000800,00000000,00000000), ref: 00F6A3E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 781caf146c0a52cffe229a8faacb39893a4d82c479ddba32a9387411ec594add
                                                  • Instruction ID: 0ac443959279d1383dce287cc0ad4532bc7ea1e9943bd39d36df39a0936bdf5e
                                                  • Opcode Fuzzy Hash: 781caf146c0a52cffe229a8faacb39893a4d82c479ddba32a9387411ec594add
                                                  • Instruction Fuzzy Hash: CF1103B69002499FCB10CF9AC844BDEBBF4EB48324F14842AE419B7300C775A945CFA6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6A372, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F6A1D1,00000800,00000000,00000000), ref: 00F6A3E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 4989f90fe90693f996152eaaa62ebb8e2d75ddcab37dedad1eacd87a63833641
                                                  • Instruction ID: 2161b3630f5761d1b6ddacaeaceda967f6cd834b59e423adcacd4b96af314db6
                                                  • Opcode Fuzzy Hash: 4989f90fe90693f996152eaaa62ebb8e2d75ddcab37dedad1eacd87a63833641
                                                  • Instruction Fuzzy Hash: 7E1114B6D002498FDB10CFAAD844ADEBBF4EB88324F14852AD419B7710C375A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07376FBB, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0737702E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 73d5239eea43b2f2918041b958b8f0f80f831b64eb0804a484f208f47e935768
                                                  • Instruction ID: 2b35869bec94142e6f258c83fc8a910decec924104cb8080ebdc50e459af839b
                                                  • Opcode Fuzzy Hash: 73d5239eea43b2f2918041b958b8f0f80f831b64eb0804a484f208f47e935768
                                                  • Instruction Fuzzy Hash: 451167729002489FDB10CFAAD844BDFBBF5EF88324F14881AE519A7210C739A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07376FC0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0737702E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 8a93963dddd67eff6fe4adf648d3058432214869fc5e98432eaa7d60f82a2121
                                                  • Instruction ID: 27e3da97cf7fd0da33583736bac6dface406545d26b2b795571fa217ab6c8850
                                                  • Opcode Fuzzy Hash: 8a93963dddd67eff6fe4adf648d3058432214869fc5e98432eaa7d60f82a2121
                                                  • Instruction Fuzzy Hash: 9B1137719002499FDB10CFA9D844BDFBBF5EF88324F14881AE519A7250C779A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6A418, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F6A1D1,00000800,00000000,00000000), ref: 00F6A3E2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: dd393f4bfe5b530035a21c53ad5dfa4a50d9fc6f48acda4bde3e3e3d3b37329c
                                                  • Instruction ID: 58a91d6c292d1c2b707bc394930cee4ca5c67a0860858fee3aa3aa49932a12e3
                                                  • Opcode Fuzzy Hash: dd393f4bfe5b530035a21c53ad5dfa4a50d9fc6f48acda4bde3e3e3d3b37329c
                                                  • Instruction Fuzzy Hash: B211E1B29043089FDB10CBA9D4047DAFBF4EF56324F14845BD548A7212C37A9845CF62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07376E33, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: 46a704da847c71fd160777427ab0b4a2e50560e3d2212c6c299d92ddfd1a179f
                                                  • Instruction ID: aec804e2cf8c5d9b340d8e1717c2137c765d9ae75ef82437bca225b5bcd7d71e
                                                  • Opcode Fuzzy Hash: 46a704da847c71fd160777427ab0b4a2e50560e3d2212c6c299d92ddfd1a179f
                                                  • Instruction Fuzzy Hash: 05113AB1D007488BDB20DFAAD8457DFFBF5EF88224F148829D419A7640CB79A944CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07376E38, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: e75be96737d04fe52513a9d890de37a9734bc83046797f11da02c03ad2c0e844
                                                  • Instruction ID: aed7cf94e0b0490f8549b5db0f9af25c9ca46a3c3c03e158449e421506935f23
                                                  • Opcode Fuzzy Hash: e75be96737d04fe52513a9d890de37a9734bc83046797f11da02c03ad2c0e844
                                                  • Instruction Fuzzy Hash: 82113AB1D007488BDB10DFAAD8447DFFBF5AF88224F148829D419A7640CB79A944CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6A0F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00F6A156
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: a7c4288136fae86e21204ddfb8f9b1b7c824d3adce052f71a249afe2ee67fcc0
                                                  • Instruction ID: 4280fe43176f69727f7b77436df68fbe3ab0d2bc1e1d179a5fb3d49113f77fdc
                                                  • Opcode Fuzzy Hash: a7c4288136fae86e21204ddfb8f9b1b7c824d3adce052f71a249afe2ee67fcc0
                                                  • Instruction Fuzzy Hash: E311DFB6D006498FDB10CF9AD844BDEFBF4AB89324F14852AD429B7610C379A545CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0737A040, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 0737A0A5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: b5b77e4a4576e3af5b52847efcf7727ca0bace968856a98e9a7608c1f6c99342
                                                  • Instruction ID: a6a509f2481c74430be24acd748b30e0dd6d01698831d4db9e2068cda9353241
                                                  • Opcode Fuzzy Hash: b5b77e4a4576e3af5b52847efcf7727ca0bace968856a98e9a7608c1f6c99342
                                                  • Instruction Fuzzy Hash: 911106B5900649DFDB20CF99D989BDFBFF4EB49324F148419D858A7600C379A544CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0737A048, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 0737A0A5
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: aa912af85a25574761da9f9774e6d43ac712b1f49bd9949923b0a67922cf0c63
                                                  • Instruction ID: 42a9202f0a8508e9ca78fba78ec9251d8481bf4b2674125aab87842b6c4334a0
                                                  • Opcode Fuzzy Hash: aa912af85a25574761da9f9774e6d43ac712b1f49bd9949923b0a67922cf0c63
                                                  • Instruction Fuzzy Hash: 8611E8B58003499FDB20CF99D988BDFBBF8FB48324F148419D518A7600C375A544CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DED4C4, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675549384.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ded000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 129702e81d924f3fac59b9e948419a8c132e644346d12ef04609f9132575e257
                                                  • Instruction ID: 54c8eeecfd5eae05607371c85951d94e798d40fce80377f768e3a4882438c4cb
                                                  • Opcode Fuzzy Hash: 129702e81d924f3fac59b9e948419a8c132e644346d12ef04609f9132575e257
                                                  • Instruction Fuzzy Hash: F3213771504280DFDB01EF14D9C0B26BF66FB88328F24C569E8450B246C736D856DBB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DFD01C, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675569350.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_dfd000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 23bac3eae2641962bc3076391fc8fb1c9885d5dc613229aa19f75fe89e8a912b
                                                  • Instruction ID: 50bd9692fe47254a5c7d1cd6b01a8c75a087770fb37c8fd430578d17145fe1fc
                                                  • Opcode Fuzzy Hash: 23bac3eae2641962bc3076391fc8fb1c9885d5dc613229aa19f75fe89e8a912b
                                                  • Instruction Fuzzy Hash: C121F571504248DFDB14DF14D5C4B26BB67FB84314F24C969EA494B346CB3AD847CA72
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DFD1D4, Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675569350.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_dfd000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a6d91ed7111baa4369154ba8a756b5348faf19f1b45771bd36b1eb222a5db4a
                                                  • Instruction ID: e834d8c417fff55192f981c92b1d0f4082be6c464161d87c12f12f952f058173
                                                  • Opcode Fuzzy Hash: 7a6d91ed7111baa4369154ba8a756b5348faf19f1b45771bd36b1eb222a5db4a
                                                  • Instruction Fuzzy Hash: 15210771504208EFDB01CF54D5C4B26BB67FB84318F24C96DEA494B346C736D846DAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DFD005, Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675569350.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_dfd000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7297341e3e995a7f734cfcc9a13c0fc52ab5a655c294c1d87137c50457d619d9
                                                  • Instruction ID: 0577c855a353be7c6694cde45567f427d97b2832e2592a0b6070d4b608787f3a
                                                  • Opcode Fuzzy Hash: 7297341e3e995a7f734cfcc9a13c0fc52ab5a655c294c1d87137c50457d619d9
                                                  • Instruction Fuzzy Hash: 6F2180755093C48FCB02CF20D994715BF72EB46314F29C5EAD8498B697C33A980ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DED4BF, Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675549384.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ded000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                                  • Instruction ID: 34f2645ca577811b2d5a05e43c23410639911bf0eaba002067913884fbf66bd9
                                                  • Opcode Fuzzy Hash: cf6f911b96cd926d5ec4c359b7ca446b582c99ed5d68efd31eb8ad46abb8db7a
                                                  • Instruction Fuzzy Hash: 9711D376404280CFCB11DF10D9C4B16BF72FB85324F28C6A9D8490B656C336D85ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DFD1CF, Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675569350.0000000000DFD000.00000040.00000001.sdmp, Offset: 00DFD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_dfd000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bb4153f9a30fdc5044ab1fc0347d89dccf23cf42b6ecc64222b32b3c21c52e9
                                                  • Instruction ID: b095f0705b05e4e2bac8e7a499dda154bd9dc7f508ba4a321d0130baaa16d2e7
                                                  • Opcode Fuzzy Hash: 5bb4153f9a30fdc5044ab1fc0347d89dccf23cf42b6ecc64222b32b3c21c52e9
                                                  • Instruction Fuzzy Hash: D3119075504284DFCB11CF10D5C4B25FB72FB84314F28C6AED9494B656C33AD85ACBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DED745, Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675549384.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ded000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6aec2b685fa9f584b578e7951e3ddf4c501a1c5d969313804102c1650d4f8127
                                                  • Instruction ID: 06a1fa0eac35b51740e518525f3f2d85ed78e46eeb7d53bcd2ab1647ce4c602c
                                                  • Opcode Fuzzy Hash: 6aec2b685fa9f584b578e7951e3ddf4c501a1c5d969313804102c1650d4f8127
                                                  • Instruction Fuzzy Hash: 1201F271008380AAE720BF26CC84B67BB99EF41328F18C51AED065B242DB79DC44DAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00DED744, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675549384.0000000000DED000.00000040.00000001.sdmp, Offset: 00DED000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_ded000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: caa395afacecdc99e63f7f10c759dc22e09b37b21f80aeb9c57ecc5360c20f65
                                                  • Instruction ID: 270502e390b1d452b7a37f035b4eaf253a73555a5a1e367dfa2fb66e791d9b89
                                                  • Opcode Fuzzy Hash: caa395afacecdc99e63f7f10c759dc22e09b37b21f80aeb9c57ecc5360c20f65
                                                  • Instruction Fuzzy Hash: BAF0C271408684AAE7109F16CC88B62FB98EB41734F18C45AED091B286C7799C44CAB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 073719D8, Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Lwg2$UUUU
                                                  • API String ID: 0-28393116
                                                  • Opcode ID: f48319e7b1d2415c3b4e19ff6a38d8270b379a1a419c3d986bfd51b9f3f5bca5
                                                  • Instruction ID: 3ee8edd3d987551c876713af33dc87022c134f1aec102fd0d0b376e3880712dc
                                                  • Opcode Fuzzy Hash: f48319e7b1d2415c3b4e19ff6a38d8270b379a1a419c3d986bfd51b9f3f5bca5
                                                  • Instruction Fuzzy Hash: 8C514F70E116688FEBA4CFADD981B8DBBF2AF48314F1481A9D51CE7206D7349A85CF04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6EDF8, Relevance: .3, Instructions: 315COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 04afcf650beb2bdf9408a2aad0d77c2fb4243fbb0c4e7e52f0e214dd644d4222
                                                  • Instruction ID: dfdc7613f1b0eb986b3a291fba417f1538b5a53d12ec12b7f58a8a2e39ca90c4
                                                  • Opcode Fuzzy Hash: 04afcf650beb2bdf9408a2aad0d77c2fb4243fbb0c4e7e52f0e214dd644d4222
                                                  • Instruction Fuzzy Hash: A912B2F1411B468BE732CF65F99C2893BB1B745328F904308D2612FADAD7B8158ACF84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6C9B4, Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2286ce664c591c61fdbb1327c6012b76eebf75465c0b007860e332775e8837af
                                                  • Instruction ID: 2bfb403e93be295eba9094eced99d9971c30325f36143297d6f9c5fd6fd187a2
                                                  • Opcode Fuzzy Hash: 2286ce664c591c61fdbb1327c6012b76eebf75465c0b007860e332775e8837af
                                                  • Instruction Fuzzy Hash: 2EA19E36E0021ACFCF15DFB5C8445EEBBB2FF85300B15816AE905AB221EB75A955DB80
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00F6EDE9, Relevance: .2, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.675678513.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_f60000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3aad3f6c8c9a16f327ef1915552094629f9b430d3dfb421e7f007512e1b30268
                                                  • Instruction ID: b4e0e95558d529a6efb980d794338af2bfe94e0465e401e715e47080506b6b79
                                                  • Opcode Fuzzy Hash: 3aad3f6c8c9a16f327ef1915552094629f9b430d3dfb421e7f007512e1b30268
                                                  • Instruction Fuzzy Hash: 78C13CB181174A8FD732DF65F99C1893BB1BB85328F504309D1612FADAD7B8148ACF84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07370006, Relevance: .1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac11e57f12d4b2186668e5871ffec9da5f11ba52498a3d9d046899ca7d6d9995
                                                  • Instruction ID: 48859da1098d378b3b842533038dbfb5cf8c850b00022bf9306b52ced2d55ee0
                                                  • Opcode Fuzzy Hash: ac11e57f12d4b2186668e5871ffec9da5f11ba52498a3d9d046899ca7d6d9995
                                                  • Instruction Fuzzy Hash: FF5190B1E056598BE729CF6B8C4079AFBF7AFC5210F04C1FAC50CAA255EB3409468F15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 07370040, Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.677721951.0000000007370000.00000040.00000001.sdmp, Offset: 07370000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7370000_payment_advice.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3d683729d868d6267b69ae7ed86868601ebfe43a458b006a22eec8a38e2772e4
                                                  • Instruction ID: d3d83a1965b199b9fed147ff9c100f23bf2e36f1f39858732d2c854a09586b2c
                                                  • Opcode Fuzzy Hash: 3d683729d868d6267b69ae7ed86868601ebfe43a458b006a22eec8a38e2772e4
                                                  • Instruction Fuzzy Hash: 464140B1E056188BEB6CCF6B8D4078AFAF7AFC8204F54D1FA950CA7215EB3449858F15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%