Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report payment_advice.exe

Overview

General Information

Sample Name:payment_advice.exe
Analysis ID:553346
MD5:8c111a2fb2509662db26b214b72e4e36
SHA1:1706e12b96c88c74b1551184770221ae90eded88
SHA256:18dee23d492e67fd0644205091068422a7322f94f9028a4a85a87505e6003cb8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected AsyncRAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Executable has a suspicious name (potential lure to open the executable)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • payment_advice.exe (PID: 6548 cmdline: "C:\Users\user\Desktop\payment_advice.exe" MD5: 8C111A2FB2509662DB26B214B72E4E36)
    • RegSvcs.exe (PID: 5580 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6872 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 4204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "185.222.57.80", "Ports": "6275", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "QezdxbEnAcR8YRyfVhhUW7fy58KZtsCM", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "20", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPsgY74fnNwbIPR6dDIAXTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwMTExMTUxMzQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImeGbwefUPZlenM9ZLOLyWoIfTUQbvfSf2I4aTtRtrJV0PvNEvbnGLJBVZe2Pl0/07x8Tk2rB11VhT66e/qyj/1GaK2lCocdlZY1I5bbDPiVaENZ3Pd4XFA00Am9axKENbivQzVj9NT8HlT1ymPK1utCLa7IWfmf5SR76DG8iaClYf0QiNFizdty7Bmhnc5ZS9xFI7tWzao+K0Ds7iD0IEQvKPWVAdssV/Y0rDXxcNcYo0iKDU4Qln8Hwgeuqh+ZFSgwwYnbDCfyKHO85s7GCD4MluE6vYBla1guC8SRWvRTIop+edRyivzmQ17cX+9K6W/UcReXkrNe4UEDbSKNzxwp65yTww4B95eJEXiKzrmNpPq1jEs8okWRoPluIKi2SEOMQcUwb6VcNamWQxwnW2WMPswRpcFVedgU0mUTs4AzLhUt8vhf5e3zAs5fYY7G2NtNMUzXgR2AkhbG30dIguSUFxCiyoXL15+Z4aKudbOycqydKoeGghHd9Lgl78N7mjNuM0Ti5YNeHltKbqEb10P5K4ZaSaWQe2FjTTY0/PjTqwUGouJcXg+vG6JYcsfFw4a6n3kivC7AOPYsdvMLuq+D3Rg/wrlo7ZfgzvkZojzjBboBRDbMi57Y8W77i+VEb81VlPwmTcbzP6dFcrfJVmVOgDRW3q96OD9HxfMXQxZAgMBAAGjMjAwMB0GA1UdDgQWBBTaL3HojDpid9l5Z4ww/A0enwsLHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA4PTTl66juqXrGz2R4fBZ1Dy3CfIL590qgWNuzGTkqR2uC54F9gG0bhexUBfK5OZp0ypmQlfRIRw5e6bXXmizGmHXGKdirG4dIiwK2hh/9ENP7D8nafAeIaB935RopQHSR6qXrbm2IiJFJySnfZLCnWADOPq0zy3YlD62JA07DNvEyQKq7v128VkpFPGzCIeFBxcbrLvadpEv71py3DwZJU+FYn2tqFBZPTtVkZcPIlSdG2+f5lp1FlgTZa+p+5pUYrLyH5KI3BZBLpZy29j1/Yy/x5N6eVi7zHNoin4VtMlx8oSKxNfx8C66palvTiw3/Ga9NVyWkvFO43ddgMsdAfJ0CryfKLaK3D9vfd1HgdH6AFB+lHh51ANUeNgRnlngCQ5NZL9PTOBywiHV9aPV1lQPUlbE9SLlmgZfXDzxxHOE+eHR+FpOumMxrEiUAn/x3xRN6jgq1opAJ8dgK1JRx76pC3eXPvyNmz6NPUaVb2oOI+nBDdnAyUWlOY84JrycPi8qt0HbL7FOMhwJKk3wE7zdL32h+bRhef2VediBaEnPI38ZNk6Nn7lYkSifkhOeDTHR2WMo5TNEM+bMpb66/kySmGBEY7f4w0R8190mxufBfIYKeimOunDuRukbKXpNEnmkSPoysVZP9r/KmF0iE57g6FDmfF5ixPsz7B4OS4A==", "ServerSignature": "HIVbYAPWifBLFM1dIsEfxbnVJ30YJJhWw82LHYtKmHEC3g/lAwZ5luRjZRWAz1JR169Sn8cJckChtzpnJtaXs6xUOq3xWorDyH9CxmCYqSkPU3OLjEtGBWOhUlAkUyMsAegVguFE9yC3QsL7d9ry54trgH3tAg6a34DzC51v1nMppCNNKptEDh0p2rg8s1IotSV6LVOItcGaHuTjpqfTeXeg/eAL7+fWNw5FMH5j+j5OpNOELl2Y9mbJvjzZ7v7Ff5YXkcEopiyWuEW9eIjuNyOrBU0a9H9MOaSN091fxYLVYDYWVxzt1PbJWRdyLWE00EVdejlfQipA45wZVidw9RxD2O67SVlBO5mm+KQd80ISK1fbp3hZ9hX9OyH//2OwJPiL61w1i5owalTZMVlQ13Gfv1pubixjVVvO7aZwGlmEqWrGDqlyElrefhfni7aWdPIbeBaD1LSv91pHDOTzmrr0nePUF66dkKLcs/BwygcY+XesKJQROtWzWrkFc+jmezq8DIGGCEf+kwq+ZFb1LRxPGOFck8Qr2JS9rqdHbx+Mrmn+sxzk0Ozm9tFUmryKxIMct4fTiT0r6sD/LJyLQZPxH3IHYk36GLpqgOcjGLA3hFtkV41EjGuYNgLkB6ekG++kBHZtstmBNIyfOBmGOhy9BSJ8oAmjYzPP4ivKO7I=", "Group": "Default"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.0.RegSvcs.exe.400000.4.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              6.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                6.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  6.0.RegSvcs.exe.400000.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\payment_advice.exe" , ParentImage: C:\Users\user\Desktop\payment_advice.exe, ParentProcessId: 6548, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5580
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\payment_advice.exe" , ParentImage: C:\Users\user\Desktop\payment_advice.exe, ParentProcessId: 6548, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5580

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 6.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: AsyncRAT {"Server": "185.222.57.80", "Ports": "6275", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "QezdxbEnAcR8YRyfVhhUW7fy58KZtsCM", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "20", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPsgY74fnNwbIPR6dDIAXTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwMTExMTUxMzQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImeGbwefUPZlenM9ZLOLyWoIfTUQbvfSf2I4aTtRtrJV0PvNEvbnGLJBVZe2Pl0/07x8Tk2rB11VhT66e/qyj/1GaK2lCocdlZY1I5bbDPiVaENZ3Pd4XFA00Am9axKENbivQzVj9NT8HlT1ymPK1utCLa7IWfmf5SR76DG8iaClYf0QiNFizdty7Bmhnc5ZS9xFI7tWzao+K0Ds7iD0IEQvKPWVAdssV/Y0rDXxcNcYo0iKDU4Qln8Hwgeuqh+ZFSgwwYnbDCfyKHO85s7GCD4MluE6vYBla1guC8SRWvRTIop+edRyivzmQ17cX+9K6W/UcReXkrNe4UEDbSKNzxwp65yTww4B95eJEXiKzrmNpPq1jEs8okWRoPluIKi2SEOMQcUwb6VcNamWQxwnW2WMPswRpcFVedgU0mUTs4AzLhUt8vhf5e3zAs5fYY7G2NtNMUzXgR2AkhbG30dIguSUFxCiyoXL15+Z4aKudbOycqydKoeGghHd9Lgl78N7mjNuM0Ti5YNeHltKbqEb10P5K4ZaSaWQe2FjTTY0/PjTqwUGouJcXg+vG6JYcsfFw4a6n3kivC7AOPYsdvMLuq+D3Rg/wrlo7ZfgzvkZojzjBboBRDbMi57Y8W77i+VEb81VlPwmTcbzP6dFcrfJVmVOgDRW3q96OD9HxfMXQxZAgMBAAGjMjAwMB0GA1UdDgQWBBTaL3HojDpid9l5Z4ww/A0enwsLHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA4PTTl66juqXrGz2R4fBZ1Dy3CfIL590qgWNuzGTkqR2uC54F9gG0bhexUBfK5OZp0ypmQlfRIRw5e6bXXmizGmHXGKdirG4dIiwK2hh/9ENP7D8nafAeIaB935RopQHSR6qXrbm2IiJFJySnfZLCnWADOPq0zy3YlD62JA07DNvEyQKq7v128VkpFPGzCIeFBxcbrLvadpEv71py3DwZJU+FYn2tqFBZPTtVkZcPIlSdG2+f5lp1FlgTZa+p+5pUYrLyH5KI3BZBLpZy29j1/Yy/x5N6eVi7zHNoin4VtMlx8oSKxNfx8C66palvTiw3/Ga9NVyWkvFO43ddgMsdAfJ0CryfKLaK3D9vfd1HgdH6AFB+lHh51ANUeNgRnlngCQ5NZL9PTOBywiHV9aPV1lQPUlbE9SLlmgZfXDzxxHOE+eHR+FpOumMxrEiUAn/x3xRN6jgq1opAJ8dgK1JRx76pC3eXPvyNmz6NPUaVb2oOI+nBDdnAyUWlOY84JrycPi8qt0HbL7FOMhwJKk3wE7zdL32h+bRhef2VediBaEnPI38ZNk6Nn7lYkSifkhOeDTHR2WMo5TNEM+bMpb66/kySmGBEY7f4w0R8190mxufBfIYKeimOunDuRukbKXpNEnmkSPoysVZP9r/KmF0iE57g6FDmfF5ixPsz7B4OS4A==", "ServerSignature": "HIVbYAPWifBLFM1dIsEfxbnVJ30YJJhWw82LHYtKmHEC3g/lAwZ5luRjZRWAz1JR169Sn8cJckChtzpnJtaXs6xUOq3xWorDyH9CxmCYqSkPU3OLjEtGBWOhUlAkUyMsAegVguFE9yC3QsL7d9ry54trgH3tAg6a34DzC51v1nMppCNNKptEDh0p2rg8s1IotSV6LVOItcGaHuTjpqfTeXeg/eAL7+fWNw5FMH5j+j5OpNOELl2Y9mbJvjzZ7v7Ff5YXkcEopiyWuEW9eIjuNyOrBU0a9H9MOaSN091fxYLVYDYWVxzt1PbJWRdyLWE00EVdejlfQipA45wZVidw9RxD2O67SVlBO5mm+KQd80ISK1fbp3hZ9hX9OyH//2OwJPiL61w1i5owalTZMVlQ13Gfv1pubixjVVvO7aZwGlmEqWrGDqlyElrefhfni7aWdPIbeBaD1LSv91pHDOTzmrr0nePUF66dkKLcs/BwygcY+XesKJQROtWzWrkFc+jmezq8DIGGCEf+kwq+ZFb1LRxPGOFck8Qr2JS9rqdHbx+Mrmn+sxzk0Ozm9tFUmryKxIMct4fTiT0r6sD/LJyLQZPxH3IHYk36GLpqgOcjGLA3hFtkV41EjGuYNgLkB6ekG++kBHZtstmBNIyfOBmGOhy9BSJ8oAmjYzPP4ivKO7I=", "Group": "Default"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: payment_advice.exeVirustotal: Detection: 24%Perma Link
                      Source: 6.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                      Source: 6.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
                      Source: payment_advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: payment_advice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: StoreAssemblyFileEnumerati.pdb source: payment_advice.exe

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.222.57.80:6275 -> 192.168.2.4:49780
                      Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
                      Source: global trafficTCP traffic: 192.168.2.4:49780 -> 185.222.57.80:6275
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.80
                      Source: RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: RegSvcs.exe, 00000006.00000003.729913845.0000000004DAD000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729784959.0000000004D7A000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.730140141.0000000004DD1000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: RegSvcs.exe, 00000006.00000003.729391547.0000000004DFF000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729862344.0000000004DFD000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.730061783.0000000004DFD000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?783d96b3a4778
                      Source: RegSvcs.exe, 00000006.00000002.915733607.0000000000C19000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en~
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: payment_advice.exe, 00000000.00000003.655235756.0000000005A87000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: payment_advice.exe, 00000000.00000003.658699195.0000000005ABD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/.
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: payment_advice.exe, 00000000.00000003.659974688.0000000005ABD000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.660089261.0000000005ABD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com3
                      Source: payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: payment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: payment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnen
                      Source: payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: payment_advice.exe, 00000000.00000003.661723557.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661797055.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661694433.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661846411.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661760000.0000000005AB7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/==FL
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn.
                      Source: payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnKX

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Source: payment_advice.exe, 00000000.00000002.675710014.0000000000F80000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: payment_advice.exe
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: payment_advice.exeStatic file information: Suspicious name
                      Source: payment_advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6C9B4
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6EDF8
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6EDE9
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_07378C80
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_07378C70
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_073719D8
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_07370006
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_07370040
                      Source: payment_advice.exeBinary or memory string: OriginalFilename vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.675291434.00000000007E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoreAssemblyFileEnumerati.exe0 vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.676514313.0000000003B99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.677656360.0000000007260000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs payment_advice.exe
                      Source: payment_advice.exe, 00000000.00000002.675710014.0000000000F80000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs payment_advice.exe
                      Source: payment_advice.exeBinary or memory string: OriginalFilenameStoreAssemblyFileEnumerati.exe0 vs payment_advice.exe
                      Source: payment_advice.exeVirustotal: Detection: 24%
                      Source: payment_advice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\payment_advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\payment_advice.exe "C:\Users\user\Desktop\payment_advice.exe"
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Users\user\Desktop\payment_advice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment_advice.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/1
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: C:\Users\user\Desktop\payment_advice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Settings.csBase64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Users\user\Desktop\payment_advice.exeMutant created: \Sessions\1\BaseNamedObjects\lVlVHIKo
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\payment_advice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: payment_advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: payment_advice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: payment_advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: StoreAssemblyFileEnumerati.pdb source: payment_advice.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: payment_advice.exe, zB/HE.cs.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: payment_advice.exe, zB/HE.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.payment_advice.exe.7e0000.0.unpack, zB/HE.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_00F6D118 pushad ; ret
                      Source: C:\Users\user\Desktop\payment_advice.exeCode function: 0_2_0737C8DE push dword ptr [edx+ebp*2-75h]; iretd

                      Boot Survival:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\payment_advice.exe TID: 1844Thread sleep time: -36067s >= -30000s
                      Source: C:\Users\user\Desktop\payment_advice.exe TID: 1680Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\payment_advice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1646
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8095
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeThread delayed: delay time: 36067
                      Source: C:\Users\user\Desktop\payment_advice.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformation
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: RegSvcs.exe, 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmpBinary or memory string: vmware
                      Source: RegSvcs.exe, 00000006.00000003.870591239.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916835494.0000000004E0A000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.731607572.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.763571335.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729974130.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915834995.0000000000CFD000.00000004.00000020.sdmp, RegSvcs.exe, 00000006.00000003.730070432.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.763654663.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.759536490.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729404106.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.761156327.0000000004E08000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 702008
                      Allocates memory in foreign processesShow sources
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\payment_advice.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\payment_advice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000006.00000003.759450957.0000000004DAB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000003.731548600.0000000004DAB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916100896.00000000029CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916118306.00000000029D1000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916083911.00000000029C4000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916161929.00000000029ED000.00000004.00000001.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: RegSvcs.exe, 00000006.00000003.759450957.0000000004DAB000.00000004.00000001.sdmpBinary or memory string: Program ManagerB5210E87
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Users\user\Desktop\payment_advice.exe VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\payment_advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Yara detected AsyncRATShow sources
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection312Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information111LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing21Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      payment_advice.exe24%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
                      6.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                      6.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.founder.com.cn/cnen0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.zhongyicts.com.cn.0%VirustotalBrowse
                      http://www.zhongyicts.com.cn.0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cnKX0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/==FL0%Avira URL Cloudsafe
                      http://www.fontbureau.com30%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.fontbureau.comalic0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0payment_advice.exe, 00000000.00000003.655235756.0000000005A87000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                            		high
                            http://www.galapagosdesign.com/payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnenpayment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/bThepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                		high
                                http://www.zhongyicts.com.cn.payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpfalse
                                • 0%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerspayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnpayment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cnKXpayment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlpayment_advice.exe, 00000000.00000003.659974688.0000000005ABD000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.660089261.0000000005ABD000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/==FLpayment_advice.exe, 00000000.00000003.661723557.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661797055.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661694433.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661846411.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661760000.0000000005AB7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com3payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comalicpayment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/.payment_advice.exe, 00000000.00000003.658699195.0000000005ABD000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.urwpp.deDPleasepayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnpayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.carterandcone.como.payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.compayment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.222.57.80
                                                		unknownNetherlands
                                                		51447ROOTLAYERNETNLtrue

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:553346
                                                Start date:14.01.2022
                                                Start time:18:19:21
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 6m 58s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:payment_advice.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:18
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/3@0/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                • Quality average: 28.7%
                                                • Quality standard deviation: 40.5%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.49.150.241, 173.222.108.210, 173.222.108.226
                                                • Excluded domains from analysis (whitelisted): s-ring.msedge.net, wu-shim.trafficmanager.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, t-ring.msedge.net, settingsfd-geo.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:20:19API Interceptor1x Sleep call for process: payment_advice.exe modified
                                                18:20:48API Interceptor1x Sleep call for process: RegSvcs.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):61414
                                                Entropy (8bit):7.995245868798237
                                                Encrypted:true
                                                SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):328
                                                Entropy (8bit):3.1244568012511515
                                                Encrypted:false
                                                SSDEEP:6:kKDk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:79kPlE99SNxAhUeYlUSA/t
                                                MD5:1AD9D3C77987DE50D16FA98A6D04545D
                                                SHA1:C87624B50174BBAA7748B9902360A3DB8210A7FC
                                                SHA-256:C055B3399CD39B1D85853DA633FAB0B60D579D3FA65736DB2BD59163040D4F56
                                                SHA-512:4AD443D435E493D6B30B2B50E577A3D4948FF7922E1973F40CCB907F53F3A5C0AFEB69398C960723680158C233AE0750F1AB40F0D3DFF8366523F39ED1D47D93
                                                Malicious:false
                                                Reputation:low
                                                Preview: p...... ..........P.k...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment_advice.exe.log
                                                Process:C:\Users\user\Desktop\payment_advice.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1310
                                                Entropy (8bit):5.345651901398759
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.5940068786416095
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:payment_advice.exe
                                                File size:387584
                                                MD5:8c111a2fb2509662db26b214b72e4e36
                                                SHA1:1706e12b96c88c74b1551184770221ae90eded88
                                                SHA256:18dee23d492e67fd0644205091068422a7322f94f9028a4a85a87505e6003cb8
                                                SHA512:75f03d45240f22e92f3a6d0133de64ccb7e4d59d0b4eafbc8b44f668e7f3d98580cd486c36aaa110d7ee67b9aa3373b597e427c2c86a54b659e1ad880bc9cb87
                                                SSDEEP:6144:Dmd5K777777777777N7ErDnTsU9C1w4DZ4OrcY7UyEQ0LtGVvC7RRX:aK777777777777N7EPAUg1w4qgT0LU+
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-G.a............................>.... ........@.. .......................@............@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x45fc3e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x61E1472D [Fri Jan 14 09:49:33 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5fbf00x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x614.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x5fb960x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x5dc440x5de00False0.625301681092data6.61261885246IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x600000x6140x800False0.3349609375data3.4396261812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x620000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0x600a00x386data
                                                RT_MANIFEST0x604280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyright2022 Tradewell
                                                Assembly Version22.0.0.0
                                                InternalNameStoreAssemblyFileEnumerati.exe
                                                FileVersion1.1.0.0
                                                CompanyNameTradewell ltd
                                                LegalTrademarks
                                                CommentsPurple Org
                                                ProductNameBlaster
                                                ProductVersion1.1.0.0
                                                FileDescriptionBlaster
                                                OriginalFilenameStoreAssemblyFileEnumerati.exe

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/14/22-18:20:48.001691TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)627549780185.222.57.80192.168.2.4

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 14, 2022 18:20:47.891983986 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:47.917207956 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:47.917334080 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:47.960899115 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:48.001691103 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:48.001758099 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:48.001828909 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:48.006659985 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:48.047681093 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:48.100184917 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:50.539506912 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:50.603554964 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:20:50.604002953 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:20:50.791296959 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.380656004 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:04.494256020 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.494432926 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:04.529613972 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.585972071 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:04.609246969 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:04.664005041 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.136667967 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:05.179666996 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.202220917 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:05.242125034 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.472630978 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.605998039 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:05.606187105 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:05.791088104 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.465295076 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.603542089 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.604003906 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.685655117 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.743084908 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.767101049 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.821203947 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.863243103 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:16.994240999 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:16.995747089 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:17.103569984 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.445319891 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.603492022 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.603637934 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.683731079 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.728677034 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.751570940 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.792650938 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.900291920 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:29.900453091 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:29.994173050 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:35.131211042 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:35.182224035 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:35.204803944 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:35.260271072 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.390114069 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.494302034 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.494388103 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.561499119 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.604996920 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.627441883 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.672302008 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.791254997 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:42.791373014 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:42.900389910 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.363430023 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.494772911 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.494976997 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.544169903 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.590234995 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.615206003 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.668262005 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.687436104 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.791150093 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:21:55.791282892 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:21:55.900783062 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:05.130848885 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:05.184860945 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:05.207906961 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:05.262793064 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.254302979 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.400650978 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.405997992 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.449529886 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.497431993 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.520143032 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.575603008 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.739103079 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.900337934 CET627549780185.222.57.80192.168.2.4
                                                Jan 14, 2022 18:22:08.901010036 CET497806275192.168.2.4185.222.57.80
                                                Jan 14, 2022 18:22:08.994239092 CET627549780185.222.57.80192.168.2.4

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: payment_advice.exe PID: 6548 Parent PID: 6588

                                                General

                                                Start time:18:20:11
                                                Start date:14/01/2022
                                                Path:C:\Users\user\Desktop\payment_advice.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\payment_advice.exe"
                                                Imagebase:0x7e0000
                                                File size:387584 bytes
                                                MD5 hash:8C111A2FB2509662DB26B214B72E4E36
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Analysis Process: RegSvcs.exe PID: 5580 Parent PID: 6548

                                                General

                                                Start time:18:20:20
                                                Start date:14/01/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x1c0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: RegSvcs.exe PID: 6872 Parent PID: 6548

                                                General

                                                Start time:18:20:21
                                                Start date:14/01/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x50000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Analysis Process: RegSvcs.exe PID: 4204 Parent PID: 6548

                                                General

                                                Start time:18:20:21
                                                Start date:14/01/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0x4a0000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:high

                                                Disassembly

                                                Code Analysis

                                                Reset < >