Edit tour

Windows Analysis Report
Remittance_Advice 26042024.exe

Overview

General Information

Sample name:	Remittance_Advice 26042024.exe
Analysis ID:	1432026
MD5:	f78fac7fbb75ddcc67dd7cb5b6b6ea97
SHA1:	a9b9c8f3121cb128882d3e59b7ba2b045ce0792f
SHA256:	cd3e530bfaf604d4e59e78d8d8761ab63f0d3d57beff38c1f4802993226af6bb
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Remittance_Advice 26042024.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\Remittance_Advice 26042024.exe" MD5: F78FAC7FBB75DDCC67DD7CB5B6B6EA97)

Remittance_Advice 26042024.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\Remittance_Advice 26042024.exe" MD5: F78FAC7FBB75DDCC67DD7CB5B6B6EA97)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.innomedjsc.com", "Username": "nhung.hth@innomedjsc.com", "Password": "s]~5ai)IFpr-"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1715861724.0000000004349000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1718379417.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4158316953.000000000329E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Remittance_Advice 26042024.exe PID: 7264	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Remittance_Advice 26042024.exe PID: 7264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Remittance_Advice 26042024.exe PID: 7264	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Remittance_Advice 26042024.exe PID: 7440	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Remittance_Advice 26042024.exe PID: 7440	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Remittance_Advice 26042024.exe.5d00000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4349970.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31c03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31cff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31f03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31c03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31cff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31f03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.Remittance_Advice 26042024.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Remittance_Advice 26042024.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.Remittance_Advice 26042024.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a03:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6ea23:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a75:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ea95:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33aff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6eb1f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b91:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ebb1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bfb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6ec1b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c6d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ec8d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ed23:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d93:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6edb3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.249.117.241, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Remittance_Advice 26042024.exe, Initiated: true, ProcessId: 7440, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49737

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.innomedjsc.com", "Username": "nhung.hth@innomedjsc.com", "Password": "s]~5ai)IFpr-"}

Multi AV Scanner detection for submitted file

Source: Remittance_Advice 26042024.exe	ReversingLabs: Detection: 36%
Source: Remittance_Advice 26042024.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: Remittance_Advice 26042024.exe

Joe Sandbox ML: detected

Source: Remittance_Advice 26042024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Remittance_Advice 26042024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View

IP Address: 192.249.117.241 192.249.117.241

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.innomedjsc.com

Source: Remittance_Advice 26042024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Remittance_Advice 26042024.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.0000000003303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://innomedjsc.com
Source: Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.0000000003303000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.innomedjsc.com
Source: Remittance_Advice 26042024.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718208991.0000000005B89000.00000004.00000020.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718313926.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comtr
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Remittance_Advice 26042024.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, cPKWk.cs

.Net Code: kmY

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Remittance_Advice 26042024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_0175D2A4	0_2_0175D2A4
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE23E0	0_2_07AE23E0
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE20C8	0_2_07AE20C8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AEC788	0_2_07AEC788
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE1688	0_2_07AE1688
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE1441	0_2_07AE1441
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE1450	0_2_07AE1450
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE23D1	0_2_07AE23D1
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE0228	0_2_07AE0228
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE0219	0_2_07AE0219
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE20B8	0_2_07AE20B8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE10E0	0_2_07AE10E0
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AEF0F8	0_2_07AEF0F8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE10D1	0_2_07AE10D1
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AED018	0_2_07AED018
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE3060	0_2_07AE3060
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE3070	0_2_07AE3070
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE5F61	0_2_07AE5F61
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE5F70	0_2_07AE5F70
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AECBE0	0_2_07AECBE0
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE4901	0_2_07AE4901
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AE4910	0_2_07AE4910
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AEE820	0_2_07AEE820
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AEE812	0_2_07AEE812
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01AB4308	2_2_01AB4308
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01AB94B8	2_2_01AB94B8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01AB4BD8	2_2_01AB4BD8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01AB9C70	2_2_01AB9C70
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01AB3FC0	2_2_01AB3FC0
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01ABD2B8	2_2_01ABD2B8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E56F8	2_2_068E56F8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E3F68	2_2_068E3F68
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068EBD38	2_2_068EBD38
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068EDD48	2_2_068EDD48
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E2AF8	2_2_068E2AF8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E8BA8	2_2_068E8BA8
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E9B08	2_2_068E9B08
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E0040	2_2_068E0040
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E3260	2_2_068E3260
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068E5018	2_2_068E5018
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_06A21123	2_2_06A21123
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_06A21128	2_2_06A21128
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_01ABD2B2	2_2_01ABD2B2

Source: Remittance_Advice 26042024.exe

Static PE information: invalid certificate

Source: Remittance_Advice 26042024.exe, 00000000.00000002.1721948790.000000000A920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000000.00000000.1680867005.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexGm.exeX vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1712311280.00000000014DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename76f839bd-d42d-4891-87f7-25bf59a41400.exe4 vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000000.00000002.1714994810.00000000033B6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename76f839bd-d42d-4891-87f7-25bf59a41400.exe4 vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000002.00000002.4155921492.00000000014F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe, 00000002.00000002.4155169187.000000000043E000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename76f839bd-d42d-4891-87f7-25bf59a41400.exe4 vs Remittance_Advice 26042024.exe
Source: Remittance_Advice 26042024.exe	Binary or memory string: OriginalFilenamexGm.exeX vs Remittance_Advice 26042024.exe

Source: Remittance_Advice 26042024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Remittance_Advice 26042024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: Remittance_Advice 26042024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'

Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, V6lVDE50ADviJOgt3b.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, V6lVDE50ADviJOgt3b.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, V6lVDE50ADviJOgt3b.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, zH2Vy6oCtfE5Jlubgb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, V6lVDE50ADviJOgt3b.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, V6lVDE50ADviJOgt3b.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, V6lVDE50ADviJOgt3b.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, zH2Vy6oCtfE5Jlubgb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_Advice 26042024.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Mutant created: NULL

Source: Remittance_Advice 26042024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Remittance_Advice 26042024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Remittance_Advice 26042024.exe	ReversingLabs: Detection: 36%
Source: Remittance_Advice 26042024.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\Remittance_Advice 26042024.exe "C:\Users\user\Desktop\Remittance_Advice 26042024.exe"
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process created: C:\Users\user\Desktop\Remittance_Advice 26042024.exe "C:\Users\user\Desktop\Remittance_Advice 26042024.exe"
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process created: C:\Users\user\Desktop\Remittance_Advice 26042024.exe "C:\Users\user\Desktop\Remittance_Advice 26042024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Remittance_Advice 26042024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Remittance_Advice 26042024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: Remittance_Advice 26042024.exe, Customer.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, V6lVDE50ADviJOgt3b.cs	.Net Code: ckSKiGKpTj System.Reflection.Assembly.Load(byte[])
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, V6lVDE50ADviJOgt3b.cs	.Net Code: ckSKiGKpTj System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_0175E920 pushad ; retf	0_2_0175E929
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AEC6C1 push edi; iretd	0_2_07AEC6C2
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 0_2_07AEC187 push edi; iretd	0_2_07AEC188
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_068EEF58 pushad ; retf	2_2_068EEF65
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_06A2822A push es; ret	2_2_06A28244
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Code function: 2_2_06A26D88 pushad ; iretd	2_2_06A26D95

Source: Remittance_Advice 26042024.exe

Static PE information: section name: .text entropy: 7.965117649121771

Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, QkitiHOXHrjc0ibgLu.cs	High entropy of concatenated method names: 'Dispose', 'GHjMcnNv0p', 'CUPYCDejX8', 'Dhq11xhiYH', 'XOeMIiXoFk', 'EWSMzUlr36', 'ProcessDialogKey', 'LVGYLxbeM0', 'MRwYM8ZD5B', 'V0dYYBJwrA'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, VbZjkyg6SHBfsA2a5c.cs	High entropy of concatenated method names: 'DJMQjwkUhb', 'jt8QJ4O9oA', 'njtQxtTgqE', 'mPlQN2kNHq', 'JRfQfmWKyd', 'BNfQoNFCam', 'zd7QF5MmLJ', 'BhdQX06Bc9', 'ywrQ0R82c2', 'StwQBgOVK5'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, Vw9LeIcLR10kXhLSce.cs	High entropy of concatenated method names: 'ss2NZQcuC4', 'olgNDJBr54', 'MfNxEfbYqk', 'xofxrmPUKu', 'o8mxHsPDwm', 'NONxdaJquF', 'MWWxGWpxTg', 'jqZxgHLE7V', 'Eb6x9gPMnY', 'FmNxP5olO1'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, i4npy5LxrkUhwdY6kiL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J9Ja6DWk5L', 'ejLa8fB1A7', 'GUKa3qwgg0', 'tOkapjfiWo', 'VB8aTgGfVJ', 'Oq9a4AvGmI', 's4kaSVPF8Z'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, MWmuxlLM4LqRjBiWLuI.cs	High entropy of concatenated method names: 'Dfmv2OArlD', 'LYuvlKF2cQ', 'lJkviiP3n6', 'zyyvAJUeIb', 'ugZvZsvpO1', 'wOJvRZI1ic', 'cJKvDhHCDF', 'zEdvsKiICs', 'UNHvnuhcNM', 'VLLv5fkWSR'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, g0RhcB20uws1SX75Nl.cs	High entropy of concatenated method names: 'hu2yUjRRL7', 'ExPyIHhPxO', 'x5aQL71ARp', 'e2qQM1Ctpy', 'VepytmTlMS', 'Uu1yV40fKI', 'iPZyeM5OqW', 'bfAy6Dmbfp', 'E28y8Yhp9r', 'YFSy3e0SvW'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, zqHxCdW6rp1yd0aCOD.cs	High entropy of concatenated method names: 'wWyo2rkNvw', 'PRPolFdHPU', 'K2koiiU8y3', 'rSUoAbJ1D6', 'F8koZDR6kG', 'UB9oR0kSBQ', 'wnmoDywwLT', 'kMsosZhDNk', 'PERonGoWfX', 'utLo5Zv76s'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, AGjZDmSFkCArB1Lb05.cs	High entropy of concatenated method names: 'vXYvMHnV7e', 'N3CvunVrf9', 'fNLvKRCkKh', 'WRFvjfxyWj', 'sNXvJSWNaV', 'T4bvNOWWlb', 'eFVvfCdwnD', 'Rs7QSCqWwS', 'h0hQUmcjlT', 'qiYQcnMJup'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, X5o7pNvGPEXF3LPnHU.cs	High entropy of concatenated method names: 'rBNf7KsGS7', 'htSfJdE8qW', 'QgIfN5D3y2', 'cAefogFcWX', 'UyyfFp3InS', 'Md3NTNKaIw', 'n8CN4FuUo9', 'vlgNSLhiR1', 'twtNUYMPvs', 'E8kNceKxun'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, lQeA4VHsyUc9xRw24i.cs	High entropy of concatenated method names: 'S3pWPZavnW', 'M2sWVTDyUv', 'TH5W6oCL2V', 'MREW8cEXT8', 'zcuWCNM7ou', 'JM8WE1LICB', 'GQBWrwG6DN', 'g1MWHPbdM4', 'wCDWdbYSMh', 'aa9WGoqgCN'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, iUHPWcN2naQjryAg8E.cs	High entropy of concatenated method names: 'UbIMofKYRZ', 'QlwMFNNeqG', 'h9DM0oE285', 'CKmMBdO7vx', 'w41MWxl9pG', 'fJSMhmB3MV', 'V8LJwmlSZcLiZ2rCQu', 'uPrdHwFaWiQwtVZbDg', 'AQBMM2pVa1', 'uqyMuZrqGJ'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, qqHHVe1I74QFHsPjeB.cs	High entropy of concatenated method names: 'lQNy0iKE60', 'BwAyBD8n8i', 'ToString', 'TJsyjUX3dN', 'NsvyJo6j69', 'eJiyxubFZu', 'Hj9yNYwBs4', 'qDkyfIkTca', 'iUSyobE6iG', 'pM9yFg0jWS'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, KRFSmBDjaJtSR5MEZy.cs	High entropy of concatenated method names: 'OOuqslgTTl', 'Md2qnwqi9I', 'm34qmhXD3p', 'oFlqCW0qgx', 'KkVqrVqA3c', 'WYkqH2blNy', 'JxEqGFcr08', 'GJnqg2EIl3', 'hf5qPgM0MC', 'GVPqteIvJF'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, mOkB4WXILebSK75DL2.cs	High entropy of concatenated method names: 't5xxAkZ2Jj', 'X28xRbjgxw', 'vwyxsUtn49', 'BqFxnDoPG4', 'FmCxWtKfKu', 'LgyxhhbtHy', 'MDhxyLe4nx', 'rZKxQYPB18', 'SGYxve7OV5', 'V8dxaueUGy'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, uZdw3kATrPC8URTVCE.cs	High entropy of concatenated method names: 'LiWf3s1oZ7', 'OEQfpKJBI0', 'DfwfTo7cXs', 'ToString', 'KKaf4dhQGh', 'loNfScL8G4', 'K6F4Kr7Pw5nMiMIrjuy', 'UD9vbe7LxyoI5CXcFxe', 'etePBA799QV6yLlSph8'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, zH2Vy6oCtfE5Jlubgb.cs	High entropy of concatenated method names: 'qI2J6IQdnv', 'l5lJ80Ahrp', 'Np3J35Ri6q', 'LE1JpNH0bu', 'BZqJTmq6rI', 'FHPJ4VkwNK', 'kTPJS0LRGS', 'grAJUvUqUQ', 'QI1JcG2rid', 'w52JI2X4cV'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, V6lVDE50ADviJOgt3b.cs	High entropy of concatenated method names: 'RSfu7B2N86', 'IUBuj6xl6G', 'zjduJsgGLo', 'ArwuxkpTp0', 'dqPuNhPx7u', 'RlwufkD8c2', 'FTNuotqwdL', 'EoVuFp0J2H', 'MpRuXdX98U', 'RCMu0XMJll'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, bOU9RUzLRXeP8OITj5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HqPvqu0987', 'RbLvWZEWIR', 'p4XvhGNnUJ', 'HF0vyDZKuy', 'aTEvQP9Rc9', 'gSqvv88stK', 'gHPva6Lp6D'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, GS0oRx4tMrwT7L8Ydf.cs	High entropy of concatenated method names: 'YKviyYDQ0', 'mYPArSh8i', 'xnEROWTNq', 'bKGDd2nko', 'nABnn4ilc', 'EeX5E3Bap', 'WynwAaxuutM58fVBfp', 'Vo64CAocH04C3Hg0L7', 'o8nQZ2cXZ', 'u49aVON49'
Source: 0.2.Remittance_Advice 26042024.exe.a920000.8.raw.unpack, D6OhfCpyAsHYmerWJY.cs	High entropy of concatenated method names: 'asCQms4dUv', 'ticQCluVb0', 'YcpQEiVqAj', 'daWQrsQFeT', 'zhgQ6EAFwN', 'bhbQHGT2Y1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, QkitiHOXHrjc0ibgLu.cs	High entropy of concatenated method names: 'Dispose', 'GHjMcnNv0p', 'CUPYCDejX8', 'Dhq11xhiYH', 'XOeMIiXoFk', 'EWSMzUlr36', 'ProcessDialogKey', 'LVGYLxbeM0', 'MRwYM8ZD5B', 'V0dYYBJwrA'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, VbZjkyg6SHBfsA2a5c.cs	High entropy of concatenated method names: 'DJMQjwkUhb', 'jt8QJ4O9oA', 'njtQxtTgqE', 'mPlQN2kNHq', 'JRfQfmWKyd', 'BNfQoNFCam', 'zd7QF5MmLJ', 'BhdQX06Bc9', 'ywrQ0R82c2', 'StwQBgOVK5'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, Vw9LeIcLR10kXhLSce.cs	High entropy of concatenated method names: 'ss2NZQcuC4', 'olgNDJBr54', 'MfNxEfbYqk', 'xofxrmPUKu', 'o8mxHsPDwm', 'NONxdaJquF', 'MWWxGWpxTg', 'jqZxgHLE7V', 'Eb6x9gPMnY', 'FmNxP5olO1'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, i4npy5LxrkUhwdY6kiL.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'J9Ja6DWk5L', 'ejLa8fB1A7', 'GUKa3qwgg0', 'tOkapjfiWo', 'VB8aTgGfVJ', 'Oq9a4AvGmI', 's4kaSVPF8Z'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, MWmuxlLM4LqRjBiWLuI.cs	High entropy of concatenated method names: 'Dfmv2OArlD', 'LYuvlKF2cQ', 'lJkviiP3n6', 'zyyvAJUeIb', 'ugZvZsvpO1', 'wOJvRZI1ic', 'cJKvDhHCDF', 'zEdvsKiICs', 'UNHvnuhcNM', 'VLLv5fkWSR'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, g0RhcB20uws1SX75Nl.cs	High entropy of concatenated method names: 'hu2yUjRRL7', 'ExPyIHhPxO', 'x5aQL71ARp', 'e2qQM1Ctpy', 'VepytmTlMS', 'Uu1yV40fKI', 'iPZyeM5OqW', 'bfAy6Dmbfp', 'E28y8Yhp9r', 'YFSy3e0SvW'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, zqHxCdW6rp1yd0aCOD.cs	High entropy of concatenated method names: 'wWyo2rkNvw', 'PRPolFdHPU', 'K2koiiU8y3', 'rSUoAbJ1D6', 'F8koZDR6kG', 'UB9oR0kSBQ', 'wnmoDywwLT', 'kMsosZhDNk', 'PERonGoWfX', 'utLo5Zv76s'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, AGjZDmSFkCArB1Lb05.cs	High entropy of concatenated method names: 'vXYvMHnV7e', 'N3CvunVrf9', 'fNLvKRCkKh', 'WRFvjfxyWj', 'sNXvJSWNaV', 'T4bvNOWWlb', 'eFVvfCdwnD', 'Rs7QSCqWwS', 'h0hQUmcjlT', 'qiYQcnMJup'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, X5o7pNvGPEXF3LPnHU.cs	High entropy of concatenated method names: 'rBNf7KsGS7', 'htSfJdE8qW', 'QgIfN5D3y2', 'cAefogFcWX', 'UyyfFp3InS', 'Md3NTNKaIw', 'n8CN4FuUo9', 'vlgNSLhiR1', 'twtNUYMPvs', 'E8kNceKxun'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, lQeA4VHsyUc9xRw24i.cs	High entropy of concatenated method names: 'S3pWPZavnW', 'M2sWVTDyUv', 'TH5W6oCL2V', 'MREW8cEXT8', 'zcuWCNM7ou', 'JM8WE1LICB', 'GQBWrwG6DN', 'g1MWHPbdM4', 'wCDWdbYSMh', 'aa9WGoqgCN'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, iUHPWcN2naQjryAg8E.cs	High entropy of concatenated method names: 'UbIMofKYRZ', 'QlwMFNNeqG', 'h9DM0oE285', 'CKmMBdO7vx', 'w41MWxl9pG', 'fJSMhmB3MV', 'V8LJwmlSZcLiZ2rCQu', 'uPrdHwFaWiQwtVZbDg', 'AQBMM2pVa1', 'uqyMuZrqGJ'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, qqHHVe1I74QFHsPjeB.cs	High entropy of concatenated method names: 'lQNy0iKE60', 'BwAyBD8n8i', 'ToString', 'TJsyjUX3dN', 'NsvyJo6j69', 'eJiyxubFZu', 'Hj9yNYwBs4', 'qDkyfIkTca', 'iUSyobE6iG', 'pM9yFg0jWS'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, KRFSmBDjaJtSR5MEZy.cs	High entropy of concatenated method names: 'OOuqslgTTl', 'Md2qnwqi9I', 'm34qmhXD3p', 'oFlqCW0qgx', 'KkVqrVqA3c', 'WYkqH2blNy', 'JxEqGFcr08', 'GJnqg2EIl3', 'hf5qPgM0MC', 'GVPqteIvJF'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, mOkB4WXILebSK75DL2.cs	High entropy of concatenated method names: 't5xxAkZ2Jj', 'X28xRbjgxw', 'vwyxsUtn49', 'BqFxnDoPG4', 'FmCxWtKfKu', 'LgyxhhbtHy', 'MDhxyLe4nx', 'rZKxQYPB18', 'SGYxve7OV5', 'V8dxaueUGy'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, uZdw3kATrPC8URTVCE.cs	High entropy of concatenated method names: 'LiWf3s1oZ7', 'OEQfpKJBI0', 'DfwfTo7cXs', 'ToString', 'KKaf4dhQGh', 'loNfScL8G4', 'K6F4Kr7Pw5nMiMIrjuy', 'UD9vbe7LxyoI5CXcFxe', 'etePBA799QV6yLlSph8'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, zH2Vy6oCtfE5Jlubgb.cs	High entropy of concatenated method names: 'qI2J6IQdnv', 'l5lJ80Ahrp', 'Np3J35Ri6q', 'LE1JpNH0bu', 'BZqJTmq6rI', 'FHPJ4VkwNK', 'kTPJS0LRGS', 'grAJUvUqUQ', 'QI1JcG2rid', 'w52JI2X4cV'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, V6lVDE50ADviJOgt3b.cs	High entropy of concatenated method names: 'RSfu7B2N86', 'IUBuj6xl6G', 'zjduJsgGLo', 'ArwuxkpTp0', 'dqPuNhPx7u', 'RlwufkD8c2', 'FTNuotqwdL', 'EoVuFp0J2H', 'MpRuXdX98U', 'RCMu0XMJll'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, bOU9RUzLRXeP8OITj5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HqPvqu0987', 'RbLvWZEWIR', 'p4XvhGNnUJ', 'HF0vyDZKuy', 'aTEvQP9Rc9', 'gSqvv88stK', 'gHPva6Lp6D'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, GS0oRx4tMrwT7L8Ydf.cs	High entropy of concatenated method names: 'YKviyYDQ0', 'mYPArSh8i', 'xnEROWTNq', 'bKGDd2nko', 'nABnn4ilc', 'EeX5E3Bap', 'WynwAaxuutM58fVBfp', 'Vo64CAocH04C3Hg0L7', 'o8nQZ2cXZ', 'u49aVON49'
Source: 0.2.Remittance_Advice 26042024.exe.4fbc460.5.raw.unpack, D6OhfCpyAsHYmerWJY.cs	High entropy of concatenated method names: 'asCQms4dUv', 'ticQCluVb0', 'YcpQEiVqAj', 'daWQrsQFeT', 'zhgQ6EAFwN', 'bhbQHGT2Y1', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7264, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 1750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 3340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 1920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 8430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 9430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: A430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: A9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 8430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 18D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Memory allocated: 5250000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199969	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199640	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199420	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199311	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199085	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198974	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198093	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197984	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197653	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197437	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Window / User API: threadDelayed 1981			Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Window / User API: threadDelayed 7846			Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99657s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -97079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199420s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1199085s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198974s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1198093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1197984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1197875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1197765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1197653s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1197547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe TID: 7516	Thread sleep time: -1197437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97438	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97329	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97204	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 97079	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199969	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199640	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199420	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199311	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1199085	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198974	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198859	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198750	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198640	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198422	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198312	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198203	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1198093	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197984	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197875	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197765	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197653	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197547	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Thread delayed: delay time: 1197437	Jump to behavior

Source: Remittance_Advice 26042024.exe, 00000002.00000002.4157565310.0000000001628000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Memory written: C:\Users\user\Desktop\Remittance_Advice 26042024.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Process created: C:\Users\user\Desktop\Remittance_Advice 26042024.exe "C:\Users\user\Desktop\Remittance_Advice 26042024.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Users\user\Desktop\Remittance_Advice 26042024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Users\user\Desktop\Remittance_Advice 26042024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Remittance_Advice 26042024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4158316953.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7440, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4349970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1715861724.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1718379417.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Remittance_Advice 26042024.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Remittance_Advice 26042024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7440, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Remittance_Advice 26042024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f7aa60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4f3fa40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4158316953.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Remittance_Advice 26042024.exe PID: 7440, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4349970.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.4349970.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance_Advice 26042024.exe.5d00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1715861724.0000000004349000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1718379417.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	21 Input Capture	1 Process Discovery	Remote Desktop Protocol	21 Input Capture	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Remittance_Advice 26042024.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.GenSteal
Remittance_Advice 26042024.exe	47%	Virustotal		Browse
Remittance_Advice 26042024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
innomedjsc.com	0%	Virustotal		Browse
mail.innomedjsc.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.sakkal.comtr	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://innomedjsc.com	0%	Avira URL Cloud	safe
http://mail.innomedjsc.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://innomedjsc.com	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://mail.innomedjsc.com	1%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
innomedjsc.com	192.249.117.241	true	false	0%, Virustotal, Browse	unknown
mail.innomedjsc.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	Remittance_Advice 26042024.exe, 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.comtr	Remittance_Advice 26042024.exe, 00000000.00000002.1718313926.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.innomedjsc.com	Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.0000000003303000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Remittance_Advice 26042024.exe	false	URL Reputation: safe	unknown
http://innomedjsc.com	Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000036E2000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.00000000032A6000.00000004.00000800.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000002.00000002.4158316953.0000000003303000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Remittance_Advice 26042024.exe, 00000000.00000002.1718208991.0000000005B89000.00000004.00000020.00020000.00000000.sdmp, Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	Remittance_Advice 26042024.exe, 00000000.00000002.1718695353.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.249.117.241	innomedjsc.com	United States		22611	IMH-WESTUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432026
Start date and time:	2024-04-26 10:06:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Remittance_Advice 26042024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 92 Number of non-executed functions: 20
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:07:01	API Interceptor	10156296x Sleep call for process: Remittance_Advice 26042024.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
192.249.117.241	FedEx_AWB#_773600995161.exe	Get hash	malicious	AgentTesla	Browse
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.23935.24720.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.9762.22941.exe	Get hash	malicious	AgentTesla	Browse
	DHL_Awb# 1294476291.exe	Get hash	malicious	AgentTesla	Browse
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse
	Price Quotation_pdf.vbs	Get hash	malicious	AgentTesla	Browse
	1713252728d0778b270721e7a662a1a17f7505d0149a8cc6f803a15e21ab507860d90a8e63378.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heur.5917.20015.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
IMH-WESTUS	http://www.vacationscenter.mx	Get hash	malicious	Unknown	Browse	192.249.125.97
	http://papajoeschicago.com	Get hash	malicious	Unknown	Browse	104.244.125.15
	FedEx_AWB#_773600995161.exe	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	SecuriteInfo.com.Win32.CrypterX-gen.23935.24720.exe	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	SecuriteInfo.com.Win32.CrypterX-gen.9762.22941.exe	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	DHL_Awb# 1294476291.exe	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	Price Quotation_pdf.vbs	Get hash	malicious	AgentTesla	Browse	192.249.117.241
	1713252728d0778b270721e7a662a1a17f7505d0149a8cc6f803a15e21ab507860d90a8e63378.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	192.249.117.241

Process:	C:\Users\user\Desktop\Remittance_Advice 26042024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.958712944575978
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Remittance_Advice 26042024.exe
File size:	857'096 bytes
MD5:	f78fac7fbb75ddcc67dd7cb5b6b6ea97
SHA1:	a9b9c8f3121cb128882d3e59b7ba2b045ce0792f
SHA256:	cd3e530bfaf604d4e59e78d8d8761ab63f0d3d57beff38c1f4802993226af6bb
SHA512:	ec39ce438175b8e431f28ec559f707fd631c66f7e9c4160e28639e12930be14163439b2f03b834433cf1cebcad0e87fa93028ce70148103bff09ee664970341c
SSDEEP:	12288:9bqnHvjNIrpf9rN/mc/CbTrMSrJjxddkDEb8LjkyUtGWpGwvNqKdzPjzow4bkR:9uPjKr5BNDKvBn0kySRpGwoKFzow7
TLSH:	5E05232133799563C2B1CAF086B8D25A1BF7A1593A51E7ED4D9120CF6ED0B50FE20B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+f..............0......6........... ........@.. .......................@............@................................

File Icon


Icon Hash:	49598b8999894929

Static PE Info

General

Entrypoint:	0x4cc496
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x662B071E [Fri Apr 26 01:45:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
cmp byte ptr [edi+38h], cl
pop edx
xor eax, 50374856h
xor al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+42h], al
cmp byte ptr [esp+esi+51h], dl
cmp byte ptr [ecx+4Fh], dl
inc esp
push ebp
inc ebp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcc444	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x3204	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcde00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xca4bc	0xca600	87004528b5798e830a973a341a650df3	False	0.9419841047714639	data	7.965117649121771	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x3204	0x3400	1657030a7ed07eb6d1f26027ec8fc71e	False	0.8815354567307693	data	7.559469503881835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd2000	0xc	0x200	67af9181d08d41ad0f741f2834e40073	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xce0c8	0x2d07	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9655591220612475
RT_GROUP_ICON	0xd0de0	0x14	data	1.05
RT_VERSION	0xd0e04	0x3fc	data	0.42745098039215684

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:07:05.821949959 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:06.009491920 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:06.009598970 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:06.373188972 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:06.374280930 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:06.561794043 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:06.562766075 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:06.750596046 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:06.754839897 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:07.163233995 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:07.350528955 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:08.319727898 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:08.319962025 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:08.507329941 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:08.507730007 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:08.508835077 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:07:08.508907080 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:08.516324997 CEST	49737	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:07:08.703706980 CEST	587	49737	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:33.965697050 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:34.153100967 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:34.153192043 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:34.480974913 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:34.481127977 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:34.669095039 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:34.669472933 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:34.857466936 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:34.862761021 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:35.097476006 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:35.663721085 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:35.727983952 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:35.890851021 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:35.915858030 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:35.915941954 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:36.108999968 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:36.109131098 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:36.222701073 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:36.222721100 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:36.222788095 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:36.222837925 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:36.224389076 CEST	587	49746	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:36.224440098 CEST	49746	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:36.304064035 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:36.304230928 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:36.532001019 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:40.493150949 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:40.493380070 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:40.681626081 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:40.774538994 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:40.864499092 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:41.018032074 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:41.052311897 CEST	587	49748	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:41.052520990 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:41.279815912 CEST	587	49748	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:41.280112028 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:41.468198061 CEST	587	49748	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:41.468506098 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:41.695796013 CEST	587	49748	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:42.219433069 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:42.219500065 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:42.219502926 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:42.219551086 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:08:42.220177889 CEST	587	49747	192.249.117.241	192.168.2.4
Apr 26, 2024 10:08:42.220217943 CEST	49747	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:10.210856915 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:10.291421890 CEST	49749	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:10.710247040 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:11.350950956 CEST	49749	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:11.614954948 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:13.350872993 CEST	49749	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:13.397800922 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:17.008569002 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:17.350903988 CEST	49749	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:24.194672108 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:25.352510929 CEST	49749	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:38.382203102 CEST	49748	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:41.456545115 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:42.460258961 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:43.548304081 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:44.460275888 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:44.554033995 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:46.554025888 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:48.475887060 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:50.554133892 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:56.663448095 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:09:58.554982901 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:02.666739941 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:03.679038048 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:04.572571993 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:05.585326910 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:05.679039955 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:07.600929022 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:09.757481098 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:11.650583029 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:17.757255077 CEST	49750	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:19.647900105 CEST	49751	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:23.775083065 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:24.772819996 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:25.667093992 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:26.681166887 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:26.776626110 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:28.679378033 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:30.772870064 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:32.693104982 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:38.772836924 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:40.696573019 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:44.852415085 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:45.851109028 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:46.711683035 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:47.725980997 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:47.851120949 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:49.726006985 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:51.850972891 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:53.726005077 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:10:59.851116896 CEST	49752	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:01.725987911 CEST	49753	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:05.852581978 CEST	49754	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:06.851033926 CEST	49754	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:07.727663994 CEST	49755	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:08.728574038 CEST	49755	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:08.852561951 CEST	49754	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:10.725984097 CEST	49755	587	192.168.2.4	192.249.117.241
Apr 26, 2024 10:11:12.850970030 CEST	49754	587	192.168.2.4	192.249.117.241

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 10:07:05.587145090 CEST	57540	53	192.168.2.4	1.1.1.1
Apr 26, 2024 10:07:05.813992977 CEST	53	57540	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 10:07:05.587145090 CEST	192.168.2.4	1.1.1.1	0xde4d	Standard query (0)	mail.innomedjsc.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 10:07:05.813992977 CEST	1.1.1.1	192.168.2.4	0xde4d	No error (0)	mail.innomedjsc.com	innomedjsc.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 10:07:05.813992977 CEST	1.1.1.1	192.168.2.4	0xde4d	No error (0)	innomedjsc.com		192.249.117.241	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 26, 2024 10:07:06.373188972 CEST	587	49737	192.249.117.241	192.168.2.4	220-ngx257.inmotionhosting.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 01:07:06 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:07:06.374280930 CEST	49737	587	192.168.2.4	192.249.117.241	EHLO 066656
Apr 26, 2024 10:07:06.561794043 CEST	587	49737	192.249.117.241	192.168.2.4	250-ngx257.inmotionhosting.com Hello 066656 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Apr 26, 2024 10:07:06.562766075 CEST	49737	587	192.168.2.4	192.249.117.241	AUTH login bmh1bmcuaHRoQGlubm9tZWRqc2MuY29t
Apr 26, 2024 10:07:06.750596046 CEST	587	49737	192.249.117.241	192.168.2.4	334 UGFzc3dvcmQ6
Apr 26, 2024 10:07:08.319727898 CEST	587	49737	192.249.117.241	192.168.2.4	535 Incorrect authentication data
Apr 26, 2024 10:07:08.319962025 CEST	49737	587	192.168.2.4	192.249.117.241	MAIL FROM:<nhung.hth@innomedjsc.com>
Apr 26, 2024 10:07:08.507730007 CEST	587	49737	192.249.117.241	192.168.2.4	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Apr 26, 2024 10:08:34.480974913 CEST	587	49746	192.249.117.241	192.168.2.4	220-ngx257.inmotionhosting.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 01:08:34 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:08:34.481127977 CEST	49746	587	192.168.2.4	192.249.117.241	EHLO 066656
Apr 26, 2024 10:08:34.669095039 CEST	587	49746	192.249.117.241	192.168.2.4	250-ngx257.inmotionhosting.com Hello 066656 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Apr 26, 2024 10:08:34.669472933 CEST	49746	587	192.168.2.4	192.249.117.241	AUTH login bmh1bmcuaHRoQGlubm9tZWRqc2MuY29t
Apr 26, 2024 10:08:34.857466936 CEST	587	49746	192.249.117.241	192.168.2.4	334 UGFzc3dvcmQ6
Apr 26, 2024 10:08:36.108999968 CEST	587	49747	192.249.117.241	192.168.2.4	220-ngx257.inmotionhosting.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 01:08:36 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:08:36.109131098 CEST	49747	587	192.168.2.4	192.249.117.241	EHLO 066656
Apr 26, 2024 10:08:36.222701073 CEST	587	49746	192.249.117.241	192.168.2.4	535 Incorrect authentication data
Apr 26, 2024 10:08:36.222721100 CEST	587	49746	192.249.117.241	192.168.2.4	421 ngx257.inmotionhosting.com lost input connection
Apr 26, 2024 10:08:36.304064035 CEST	587	49747	192.249.117.241	192.168.2.4	250-ngx257.inmotionhosting.com Hello 066656 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Apr 26, 2024 10:08:36.304230928 CEST	49747	587	192.168.2.4	192.249.117.241	AUTH login bmh1bmcuaHRoQGlubm9tZWRqc2MuY29t
Apr 26, 2024 10:08:40.493150949 CEST	587	49747	192.249.117.241	192.168.2.4	334 UGFzc3dvcmQ6
Apr 26, 2024 10:08:41.279815912 CEST	587	49748	192.249.117.241	192.168.2.4	220-ngx257.inmotionhosting.com ESMTP Exim 4.96.2 #2 Fri, 26 Apr 2024 01:08:41 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 26, 2024 10:08:41.280112028 CEST	49748	587	192.168.2.4	192.249.117.241	EHLO 066656
Apr 26, 2024 10:08:41.468198061 CEST	587	49748	192.249.117.241	192.168.2.4	250-ngx257.inmotionhosting.com Hello 066656 [102.129.152.220] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-CHUNKING 250-STARTTLS 250 HELP
Apr 26, 2024 10:08:41.468506098 CEST	49748	587	192.168.2.4	192.249.117.241	AUTH login bmh1bmcuaHRoQGlubm9tZWRqc2MuY29t
Apr 26, 2024 10:08:42.219433069 CEST	587	49747	192.249.117.241	192.168.2.4	535 Incorrect authentication data
Apr 26, 2024 10:08:42.219502926 CEST	587	49747	192.249.117.241	192.168.2.4	421 ngx257.inmotionhosting.com lost input connection

Target ID:	0
Start time:	10:07:00
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\Remittance_Advice 26042024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Remittance_Advice 26042024.exe"
Imagebase:	0xe10000
File size:	857'096 bytes
MD5 hash:	F78FAC7FBB75DDCC67DD7CB5B6B6EA97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1715861724.0000000004349000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1718379417.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1715861724.0000000004D37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:07:03
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\Remittance_Advice 26042024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Remittance_Advice 26042024.exe"
Imagebase:	0xfe0000
File size:	857'096 bytes
MD5 hash:	F78FAC7FBB75DDCC67DD7CB5B6B6EA97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4158316953.000000000329E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4155169187.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4158316953.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	75
Total number of Limit Nodes:	4

Executed Functions

Function 07AE23E0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5bf42044fe85db4a487b2178884898eb27c54f96036e65c06ff9242488bacc
Instruction ID: 52ee2a3dd1c3b8d3ca775e4443c5ad0733a4d15e19d0cc384c6a67d10ab58c4d
Opcode Fuzzy Hash: 3c5bf42044fe85db4a487b2178884898eb27c54f96036e65c06ff9242488bacc
Instruction Fuzzy Hash: 9C91DAB0D15609DFCB18CFA5E580A9DFBBAFB89310F20A419E426B7264D7349946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 07AE23D1 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61fb4e44d548006c50e93f0c12fc5561b5b1b691eceafaddb62c9371cc711a3
Instruction ID: aa2ebfb92ed00bd21214d39098d93483e41489bf88e514c2452c17d6c750842b
Opcode Fuzzy Hash: f61fb4e44d548006c50e93f0c12fc5561b5b1b691eceafaddb62c9371cc711a3
Instruction Fuzzy Hash: DD91FAB0D25609DFCB08CFA5E580A9DFBBAFF89310F10A416E426B7264D7349946CF14

Uniqueness

Uniqueness Score: -1.00%

Function 07AE20B8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f768eb9028d5b42d86b92884968f08d31f405337c95a789e1ba309e16adcabf4
Instruction ID: 64e973f44ab49e2778f79f36494d470a0c60bcd7c4d2d4b1fd645e9fb810413f
Opcode Fuzzy Hash: f768eb9028d5b42d86b92884968f08d31f405337c95a789e1ba309e16adcabf4
Instruction Fuzzy Hash: 218114B5E10619DFCF04CFA9D940AAEFBB6FB89300F00A566E511B7254D7389A02CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AE20C8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7de57e3a53f16377f1f78eeb4e9657917955c7af039b7d40aa678ae10080b4
Instruction ID: 52fa15b8b0826f98669f677a789a14337c6be46882ae894d9de08e5ee0599b33
Opcode Fuzzy Hash: 5f7de57e3a53f16377f1f78eeb4e9657917955c7af039b7d40aa678ae10080b4
Instruction Fuzzy Hash: 638122B5E14619CFCF04CFA9C980AAEFBB9FB89300F10A55AE521B7254D7349A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0175D368 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0175D3F6
GetCurrentThread.KERNEL32 ref: 0175D433
GetCurrentProcess.KERNEL32 ref: 0175D470
GetCurrentThreadId.KERNEL32 ref: 0175D4C9

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 65a3903e3679f9edd7c714a1760b9b118a456a3c0676b049523b5dd97a087012
Instruction ID: c1250631e18bc76f29cbeb620f6a6d89140aaae9e60fe4e5439619bf7c9085ea
Opcode Fuzzy Hash: 65a3903e3679f9edd7c714a1760b9b118a456a3c0676b049523b5dd97a087012
Instruction Fuzzy Hash: 8A5155B09002498FEB54DFAAD548BEEBFF1EF49304F24C06AD459A7360C774A984CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0175D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0175D3F6
GetCurrentThread.KERNEL32 ref: 0175D433
GetCurrentProcess.KERNEL32 ref: 0175D470
GetCurrentThreadId.KERNEL32 ref: 0175D4C9

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 904b84d7158e4baf77f900988a4801b5549980ea15c8399e3ece131567866ba6
Instruction ID: 7a06b261ff7d8f5d5242448c1a3d259d34c51a6f432476824ac19aba77bea2b3
Opcode Fuzzy Hash: 904b84d7158e4baf77f900988a4801b5549980ea15c8399e3ece131567866ba6
Instruction Fuzzy Hash: A85135B09002098FDB54DFAAD548BDEBBF1AF48314F24C06AE419A7260D774A984CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF944 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AEFB86

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e6b163ed777bc95a4fd5fc5b98c793d3e1dd613066c6d80a2aa25a9136037d11
Instruction ID: 9e842bf9ca10216e57ea1b8fb2bcf19c9dd9e839f3d53f0f28efa1ea2ddf097e
Opcode Fuzzy Hash: e6b163ed777bc95a4fd5fc5b98c793d3e1dd613066c6d80a2aa25a9136037d11
Instruction Fuzzy Hash: 87A17DB1D0021ADFDB50CF68C840BEDBBB6FF84314F1485A9D858A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF950 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07AEFB86

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9552f4eee3e7545e7028a81e905ea7ebcfc99fdc8fb5ce9f303703611990e5ce
Instruction ID: 2e0464e2cc9e05fefb1dd7b21001691257ca947e168e9cec08af0fdfb1c784ce
Opcode Fuzzy Hash: 9552f4eee3e7545e7028a81e905ea7ebcfc99fdc8fb5ce9f303703611990e5ce
Instruction Fuzzy Hash: BE917DB1D0021ADFDB50CF69C840BEEBBB6FF84314F1485A9D858A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0175ACE8 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0175AF3E

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aaff63efe1e9a0b4977fa138f931978a8db2203b7436cd6f774fc9b7c10a6ef0
Instruction ID: 719058d47d671d6ce2a62bc653f089accb8fd48e8a8e54c5c73b9ba70cd3138a
Opcode Fuzzy Hash: aaff63efe1e9a0b4977fa138f931978a8db2203b7436cd6f774fc9b7c10a6ef0
Instruction Fuzzy Hash: 83814670A00B058FDB64DF2AD44479ABBF5FF88304F008A2ED98ADBA54D775E945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017558EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017559A9

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 10d13101692076e79b5084cc3b025fccd45c65960b99f1c87912549dadccd348
Instruction ID: 1a5219fc5766a3362dc969b5f143fd1968452a29474264413884e6bd39f5568e
Opcode Fuzzy Hash: 10d13101692076e79b5084cc3b025fccd45c65960b99f1c87912549dadccd348
Instruction Fuzzy Hash: 9841E1B0C00719CFDB24CFAAC884B9EBBF5BF49304F24806AD448AB255DB756985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017544E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017559A9

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1a15e0693c33aec859127e7b17e4c99f784924c033461ee27db2154765203384
Instruction ID: 9057709d6894beafe54246adbf35f12aa395473a06b1c1d2b30cff1c76c03ce8
Opcode Fuzzy Hash: 1a15e0693c33aec859127e7b17e4c99f784924c033461ee27db2154765203384
Instruction Fuzzy Hash: D041CFB0C00719CFDB24DFA9C844B9EBBF5BF49304F20806AD458AB255DBB56985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF6C1 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AEF758

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7f7db9833aa350eb4e7708ee109c819e24ffc5c5c48766e92e76e9f4eb1730aa
Instruction ID: 1ef233e5d3d4d1f03187c64e73910f76995e8b2e558e7cb72b866e5f23a11de7
Opcode Fuzzy Hash: 7f7db9833aa350eb4e7708ee109c819e24ffc5c5c48766e92e76e9f4eb1730aa
Instruction Fuzzy Hash: DD2135B59002599FDB10DFA9C884BEEBBF5FF88310F10842AE958A7250C7789954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0175D5B8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0175D647

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 92f9857e6528b23242c456057a4171dbf383bb120d9b2eaffaecf4ab4229085d
Instruction ID: d2017315f451f277a9610e98f106dc0dac771386e9532a9a236bbf12ab2e56f8
Opcode Fuzzy Hash: 92f9857e6528b23242c456057a4171dbf383bb120d9b2eaffaecf4ab4229085d
Instruction Fuzzy Hash: D63157B5800259DFDB20CFAAD584ADEFFF4EF09360F14815AE958A7251C374A941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF6C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07AEF758

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9868518b21dcee6c65be970e262b060f697dc17593ed992b1a4307838fca2fa6
Instruction ID: 7fcb12f4f41a0d33691737bccf10d2d00a9dcef248bae7d59e846b42bc43933a
Opcode Fuzzy Hash: 9868518b21dcee6c65be970e262b060f697dc17593ed992b1a4307838fca2fa6
Instruction Fuzzy Hash: 892127B59003599FDB10DFA9C985BDEBBF5FF48310F10842AE958A7250C7789944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF7B0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AEF838

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 899e28053c56a2300a390efa5b661f04ad0d81ade525926c50108e81b8bb90bd
Instruction ID: 76caf5a26c1d5788080928feed972f6b645f6da115ca750fbda8095f4bfcfd39
Opcode Fuzzy Hash: 899e28053c56a2300a390efa5b661f04ad0d81ade525926c50108e81b8bb90bd
Instruction Fuzzy Hash: 602139B19003599FCB10DFAAC840AEEFBF5FF48320F10842DE958A7250C7389541CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF52A Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AEF5AE

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c99d6b00592288d7adf2bba42026983ff91f8806a0dd26e668922800dcdf62b5
Instruction ID: 4809c03eac0e26dcb2636da7492933157c0b500ca53e865b5c2fc5e12e430d14
Opcode Fuzzy Hash: c99d6b00592288d7adf2bba42026983ff91f8806a0dd26e668922800dcdf62b5
Instruction Fuzzy Hash: 1A2139B19003199FDB10DFAAC4857EEBBF4EF88324F14842AD459A7241CB789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF7B8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07AEF838

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 176643bd92406c1c69d68502acc6c1c670526cc8eeadce7be0683a404dd82504
Instruction ID: 29cfc01ef68c4d815eecb82e99c3b743fc8961a402769639406326e83e7acb3e
Opcode Fuzzy Hash: 176643bd92406c1c69d68502acc6c1c670526cc8eeadce7be0683a404dd82504
Instruction Fuzzy Hash: 1F2128B18002599FCB10DFAAC840AEEFBF5FF48310F108429E958A7250C7389545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF530 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AEF5AE

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2fa324e1d6b85924743ab0ecc3cf6a8f4df42bdbdcddd3152b5ce6d6e545cc0e
Instruction ID: fbf83d77671339ca7fc828b2f4a1ab6b433605e3f675a31df152d49c6399faea
Opcode Fuzzy Hash: 2fa324e1d6b85924743ab0ecc3cf6a8f4df42bdbdcddd3152b5ce6d6e545cc0e
Instruction Fuzzy Hash: C6214CB19003199FDB10DFAAC4857EEBBF4EF88314F108429D459A7240CB789544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0175D5C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0175D647

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2b53663e10bc9d1a6b2393ec292e2981286bdddf1d6dbd83e510e25a47f9ea71
Instruction ID: fce0eef468a6e89b9d80532f41d34052b345fbf0c32850e984bc9a9b97e208da
Opcode Fuzzy Hash: 2b53663e10bc9d1a6b2393ec292e2981286bdddf1d6dbd83e510e25a47f9ea71
Instruction Fuzzy Hash: CB21C4B5900258DFDB10CF9AD584ADEFFF4EB48310F14841AE958A7350D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF602 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AEF676

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b6b160a082070b7ec57038705e53b13043fdaa04b139956b408905cffb0e4095
Instruction ID: de4f3225a26e3dcd3817e894d87dae03587b75ed9f30f3bc25f2d1f14e8b0aaf
Opcode Fuzzy Hash: b6b160a082070b7ec57038705e53b13043fdaa04b139956b408905cffb0e4095
Instruction Fuzzy Hash: EB1159B1900259DFCB10DFAAC844BDEBFF5EF88320F148429E559A7260C7359940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0175A0A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175AFB9,00000800,00000000,00000000), ref: 0175B1CA

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9343297b33956bc1a7badec88a8beff13f8f90e42e7389c202c22d3ab3667285
Instruction ID: e9b5adc1f6a87d6c274d61b7b00a0a0eb2a0cb2d3463376bb8276336c35246c4
Opcode Fuzzy Hash: 9343297b33956bc1a7badec88a8beff13f8f90e42e7389c202c22d3ab3667285
Instruction Fuzzy Hash: 651126B69003498FDB50CF9AC444BEEFBF5EB48310F10842EE959A7210C7B5A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0175B159 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0175AFB9,00000800,00000000,00000000), ref: 0175B1CA

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d5da5cf9fe18d0e75bc91b0461a9d080b209047389a1fe505d40a2b9d20cc744
Instruction ID: 54299865ab47f9d934f7e8e108574b8d997ab17c45a82c033ddeb28c9dd5db0f
Opcode Fuzzy Hash: d5da5cf9fe18d0e75bc91b0461a9d080b209047389a1fe505d40a2b9d20cc744
Instruction Fuzzy Hash: 5B1142B68003498FDB10CFAAC844AEEFFF4EB88310F14842AD858A7210C774A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF608 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07AEF676

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: db5ba8d0c5e37f79459d4c67c9b51e12a5b397ddadf776b4314371f87d3a7fc7
Instruction ID: 300a2daf759daba3a40f24efef3106bc0314de6e92c226453a35796d52f8fa85
Opcode Fuzzy Hash: db5ba8d0c5e37f79459d4c67c9b51e12a5b397ddadf776b4314371f87d3a7fc7
Instruction Fuzzy Hash: 651137B19002599FCB10DFAAC844BDFBFF5EF88320F208419E559A7260C775A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF040 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07AEF0AA

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 083a14c854a040dceb45c1774878c8da52d63c6470025e5ad2262f6d3116467e
Instruction ID: d34fe8c0c3066b4e0f15a73e3bbb3f8fc646d343705d78a01a216cda8d1ec299
Opcode Fuzzy Hash: 083a14c854a040dceb45c1774878c8da52d63c6470025e5ad2262f6d3116467e
Instruction Fuzzy Hash: A31188B1D00259CFCB20DFAAC4447DEFBF5EB88324F24842AC459A7240CB38A544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF048 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07AEF0AA

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c4570116a582da200ac63f2edff5ac385358379007362b995092e092dffef5d3
Instruction ID: 83ca3fccf2e3b035d7dde80ab62b81fa612dbf688be3ba377902169cb944c78c
Opcode Fuzzy Hash: c4570116a582da200ac63f2edff5ac385358379007362b995092e092dffef5d3
Instruction Fuzzy Hash: E5113AB19002598FDB20DFAAC4457DEFBF4EB88324F20842AD559A7250CB75A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0175AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0175AF3E

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0c6fd7afd58bde1ac01150759b734d8fbd59eee1003060f62e9637f100e9c5d0
Instruction ID: fd39cf276b24b464564cf3fceadd7e8c875edde1a681f318eaa99c7952f3d723
Opcode Fuzzy Hash: 0c6fd7afd58bde1ac01150759b734d8fbd59eee1003060f62e9637f100e9c5d0
Instruction Fuzzy Hash: 8C1110B6C002498FDB10CF9AC444ADEFBF4EF88324F10852AD959A7250C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712251546.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4656f517bb47801c63e21b88ab94ae06fae8b4dec6d27355f07ad03e593ae406
Instruction ID: 714a512473066b81c95e12e39e7ff5689618fa9f8e751f069792abbd1af725c3
Opcode Fuzzy Hash: 4656f517bb47801c63e21b88ab94ae06fae8b4dec6d27355f07ad03e593ae406
Instruction Fuzzy Hash: 3F21F171900240DFDB05DF58D9C0B67BF65FB8831CF20C5AAE9090A266C33AD456CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712251546.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae9d61c7edfc25f543be05539ad89f6fddb30da596ab39696a2ff622687a739
Instruction ID: f6d5099ac95d61243b55b6494a6fe0645f6ee89cc80113b22f5fdfd8d63fd473
Opcode Fuzzy Hash: eae9d61c7edfc25f543be05539ad89f6fddb30da596ab39696a2ff622687a739
Instruction Fuzzy Hash: 0621F471900204DFDB05DF58D9C0B97BF65FB94318F20C5BAD9094B266C33AE456CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712295230.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378f2602072eda82915006e11caa3963a6eed9821de294b200b8fd86a67e97a9
Instruction ID: d3e9f8e12edd48077ffe7a20f325ffb59cf287f9393bf0665861d375dee9638d
Opcode Fuzzy Hash: 378f2602072eda82915006e11caa3963a6eed9821de294b200b8fd86a67e97a9
Instruction Fuzzy Hash: 552133B8904200DFCB55DF58D980B16BBA1EB84718F20C57ED80A4B366C336C407CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712295230.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1ad42059ec0b1331428f7dbd324e2587e2c54504c37c35ed3bf12b6c0b7ddb
Instruction ID: 7424fa4a64e80f817724b6dc4540f804eb70815e84186faacc5998daaf43c2fe
Opcode Fuzzy Hash: 1c1ad42059ec0b1331428f7dbd324e2587e2c54504c37c35ed3bf12b6c0b7ddb
Instruction Fuzzy Hash: 76214979904200DFDB41DF98C9C0B26BBA6FB84724F20C57ED8094B362C336D446CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712295230.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51b21a7ec3ee698994228621171920a7d8a39e956273d4b7e32504739456a86
Instruction ID: 2a85c90edca3b972a96e7eea1bcef5dc9c002f2c2499a9369045ac0df02cde89
Opcode Fuzzy Hash: d51b21a7ec3ee698994228621171920a7d8a39e956273d4b7e32504739456a86
Instruction Fuzzy Hash: 7B2171755093808FD712CF28D594716BF71EB46214F28C5EBD8498B667C33A980ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712251546.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a15428a1d9525d869969b0ef99de845673c203a1fcbce3274a520254220a2118
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7211D272804240CFDB02CF44D5C4B96BF71FB94314F24C6AAD9090B266C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712251546.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 4b0b268d43bf1489f9513daa69b7074ca96a5025573dcf751a959b0bdb2474a8
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E711E172804280CFCB02CF54D9C4B56BF71FB84318F24C6AAD8090B266C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712295230.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14cd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 739b719f26d5867b6d7b7d624fd259184e5e092c30b1eebfbbf368d7c200a519
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F211BE79904240DFDB02CF54C5C4B16BF62FB84624F24C6BED8494B366C33AD40ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 014BD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712251546.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26eaf75311df60bdd0e65c868319109cf237cce5e436fa684d47978161f32c1d
Instruction ID: 7d4e37bc44033ad6ab81f37e09c6dc67ead29abe8d4d44b62313b57c2a4fd447
Opcode Fuzzy Hash: 26eaf75311df60bdd0e65c868319109cf237cce5e436fa684d47978161f32c1d
Instruction Fuzzy Hash: AC012B714083809AE7105E6ACDC4BE7BFD8DF41328F18C5ABED080A2A6C639D841CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 014BD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1712251546.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14bd000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aea72371fa103c1d46f73beed904048b01b085a1dee469c1d2da4b9bbd557ab
Instruction ID: a2061d77332ae7585902dd81878f94cc8bb49231fbab41455f1672c47301b4fc
Opcode Fuzzy Hash: 4aea72371fa103c1d46f73beed904048b01b085a1dee469c1d2da4b9bbd557ab
Instruction Fuzzy Hash: 46F062754083849EE7118E1AC8C8BA3FFA8EF41638F18C55AED484A296C2799845CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07AE5F70 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

T+-q, xrefs: 07AE62AA
[V~*, xrefs: 07AE60DC
[V~*, xrefs: 07AE60D5
]\`, xrefs: 07AE61F2

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: ef3653630cdf001e38494404c55d5f99042ccdd0087511a6b6b800cacadc488c
Instruction ID: dfd7df81f0f0de5e236ada77c6e94a9ab62fe2d608cebdd4a81f278f005638a5
Opcode Fuzzy Hash: ef3653630cdf001e38494404c55d5f99042ccdd0087511a6b6b800cacadc488c
Instruction Fuzzy Hash: 61B1D6B0E15619DBCB04CFAAD98099EFBF6BF99300F14D92AD429BB214D73099428F54

Uniqueness

Uniqueness Score: -1.00%

Function 07AE5F61 Relevance: 4.0, Strings: 3, Instructions: 257COMMON

Download Yara Rule

Strings

T+-q, xrefs: 07AE62AA
[V~*, xrefs: 07AE60DC
]\`, xrefs: 07AE61F2

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 842b4e29c6935ae98bedbe806b9da2c17e1426a4d4796db9dcfcd08caaa958e0
Instruction ID: 7c91dc826a15d2b90e765b5e57c661b90f6370eb8c065621e94b57750bcdea63
Opcode Fuzzy Hash: 842b4e29c6935ae98bedbe806b9da2c17e1426a4d4796db9dcfcd08caaa958e0
Instruction Fuzzy Hash: 1FB1F6B4E15219DFCB04CFAAD98089EFBF6BF99300F14D92AD425BB218D73099428F54

Uniqueness

Uniqueness Score: -1.00%

Function 07AEC788 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2e00ad4a77cafa1f447beb1732737f19c5661f933523c817a3c7ac0f40a835
Instruction ID: b5d5e3585b2be43c5357708bffa6df3c85238cad29fd1fdd21b99306ec823da6
Opcode Fuzzy Hash: 1a2e00ad4a77cafa1f447beb1732737f19c5661f933523c817a3c7ac0f40a835
Instruction Fuzzy Hash: 83E10AB4E042198FCB14CFA9C5809AEFBB6FF89314F249159E454AB356DB30AD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AEF0F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca2f89cd59f476a99bcaf146e07b8aa2c123fc5cc26f7a35480d1854732a1fd
Instruction ID: 2f23788dbf67532f4e48c2c0d69678da4bc52ba67d3e2645ed3cc9e687dde696
Opcode Fuzzy Hash: cca2f89cd59f476a99bcaf146e07b8aa2c123fc5cc26f7a35480d1854732a1fd
Instruction Fuzzy Hash: D5E1FAB4E042198FCB54CFA9C5809AEFBB6FF89304F249169E415AB356DB31AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07AED018 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffeaf58f0f60b964a38e14696eba34f7df895653b2127a13b44d388efe7b6cf2
Instruction ID: 84a1a43df418ef777774af9da2192a7db8fcb998c7ac24570d06871bf9178dfa
Opcode Fuzzy Hash: ffeaf58f0f60b964a38e14696eba34f7df895653b2127a13b44d388efe7b6cf2
Instruction Fuzzy Hash: C4E1FAB4E042198FCB14DFA9C5809AEFBB6FF89304F249169E414AB356DB35AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07AECBE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e221a0ab575ceb35e09dbd04a169c0226e7d9471cd515b6de56a0c086bed886f
Instruction ID: d168dda68fe2f54eb77a431ae423702a18377abbb271695bd54732cc9bd34726
Opcode Fuzzy Hash: e221a0ab575ceb35e09dbd04a169c0226e7d9471cd515b6de56a0c086bed886f
Instruction Fuzzy Hash: E7E10CB4E012198FCB14CFA9C5809AEFBB6FF89314F249169E414AB356DB31AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07AEE820 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1246d14970223fc3b7193562ff2037047e162384aadf4ff22336b8b1eb81bbe
Instruction ID: ed896094ce12f71fecbce2e4be84c13f2ced2a4e3e2e210f8e71f7ed62e5bb52
Opcode Fuzzy Hash: d1246d14970223fc3b7193562ff2037047e162384aadf4ff22336b8b1eb81bbe
Instruction Fuzzy Hash: 09E1E9B4E042198FDB14CFA9C5809AEFBB6FF89314F249159E415AB356DB30A981CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07AE4901 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd0d2b60e2137a8508f1e013264f79802c8ea73780b274a2d5bd8d02d3d313f
Instruction ID: 98774d4611731f2ced58bc4d719915c06e6a1e1a6fe87f2ce7b3f1524e7c8cd4
Opcode Fuzzy Hash: ccd0d2b60e2137a8508f1e013264f79802c8ea73780b274a2d5bd8d02d3d313f
Instruction Fuzzy Hash: AFD1E43582061A8ACB00EFA4D990AEDF775FF99310F50979AE00937261EF706AC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07AE4910 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1163f7749bd982abd66fc93385b24e7e8d037f91403ca1df2caa2e71a4a5d261
Instruction ID: 469ce437f7849cc0d16d10816d5c002023a02c5bd862b8491101ece8f6ecd653
Opcode Fuzzy Hash: 1163f7749bd982abd66fc93385b24e7e8d037f91403ca1df2caa2e71a4a5d261
Instruction Fuzzy Hash: 24D1D23582065A8ACB00EBA4D990AEDF775FF99310F50979AE00937261EF706AC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0175D2A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713372568.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa710191ca82b461646bcf5e1384a4f4cbf2677ccfe1b84b69fcc00fb3f9a6ee
Instruction ID: adaf4684da4b30f3f0e708df82b9e523254a2c380c4e83c4932b7da41cef698a
Opcode Fuzzy Hash: aa710191ca82b461646bcf5e1384a4f4cbf2677ccfe1b84b69fcc00fb3f9a6ee
Instruction Fuzzy Hash: 0AA18136E006098FCF55DFB4C84459EFBB2FF84300B2585AAE905AB2A5DF71E956CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07AE0228 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67919bd7d7772f75c1db19fe65a115760a0ae1cc0367ecd46452c10c27b96754
Instruction ID: 6387ce215d8e5f5d2bdc792ef0ea702ff1f3593fd95884b29bb92b4829d757a5
Opcode Fuzzy Hash: 67919bd7d7772f75c1db19fe65a115760a0ae1cc0367ecd46452c10c27b96754
Instruction Fuzzy Hash: 0681C0B4E10219CFCB44CFA9C5849AEFBF5FF89250F24956AE415AB320D370AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AE0219 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bba3b29be404f3e6829c58df4df2810d7912d345af219f13f52335221e365c1
Instruction ID: 894b04c7461139eed3b5e7e99664a60d4372a0aa3cc5605e73ff19c4a7822d71
Opcode Fuzzy Hash: 1bba3b29be404f3e6829c58df4df2810d7912d345af219f13f52335221e365c1
Instruction Fuzzy Hash: 1D81C1B4E11219CFCB44CFA9C5849AEBBF5FF89350F24956AE415AB320D370AA42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07AE1688 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d518462a3f76cbe63dbec444d8fb9ac59af68d4a60e95cdd7668804aa950ae
Instruction ID: e287b0e5d522bb721f3a6915ddf8cf69681d623d1fdddbb16b68fe125572348a
Opcode Fuzzy Hash: e5d518462a3f76cbe63dbec444d8fb9ac59af68d4a60e95cdd7668804aa950ae
Instruction Fuzzy Hash: F861DDB093670DEBC740CF91E18A15DBFB6FBC9300F24A895D095AB164DB3896A78B05

Uniqueness

Uniqueness Score: -1.00%

Function 07AE10E0 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952e47e252dfaef86dc83d02a39884efa741a1c19b602a8ed57b9fc789b31c8e
Instruction ID: 780099360273d339ffc042ce84d9c69e61c38f569ae4a14d6217f94ce30a9f1e
Opcode Fuzzy Hash: 952e47e252dfaef86dc83d02a39884efa741a1c19b602a8ed57b9fc789b31c8e
Instruction Fuzzy Hash: BC6125B4E1521EDFCB04CFAAD9815EEFBB6BF89300F14906AD425A7204D7349A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07AE10D1 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa119efef56b5c308fbddae1872be91e78387af2f480c25447e003518a3ddc8d
Instruction ID: 287ddb71c9dbf3769957e35b32f74d67054768821a123e56e44cacc5c9b43a3f
Opcode Fuzzy Hash: fa119efef56b5c308fbddae1872be91e78387af2f480c25447e003518a3ddc8d
Instruction Fuzzy Hash: C0512AB5E1521ADFCB04CFAAD8815AEFBB6FF89300F14D42AD425A7240D7349641CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07AE3060 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d333dd858516e5438fad9cf460f68393d13b301d994ce535c3642a973902cd71
Instruction ID: 7e50fc7599dedc0f444063a8324c2e4a40d744e91807872ad97185bc56962419
Opcode Fuzzy Hash: d333dd858516e5438fad9cf460f68393d13b301d994ce535c3642a973902cd71
Instruction Fuzzy Hash: 545118B0E1520A9FCF08CFAAD4455AEFFF6EF89310F14942AE415A7254D7345A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07AE3070 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4092d4bb07f47e2e59b1f866c01d790939d158b28bb0228f6d33ff7fd93adb46
Instruction ID: 1ab89e5927f109a1a85c6504fb00f7a0bd486a4369db6bc6412ad032d11c4035
Opcode Fuzzy Hash: 4092d4bb07f47e2e59b1f866c01d790939d158b28bb0228f6d33ff7fd93adb46
Instruction Fuzzy Hash: 7A5107B0E1521ADFCF08CFAAD4455AEFFF6EF89310F10A42AE415A7254D7345A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 07AEE812 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab10fb8ebab8557470662c45610ffbefb9e89a4115073b8617d9a7c9f987132b
Instruction ID: abd4ca515af2319798e569f84b2e9d8d19850f0d00b63be5de76b80dbcb5a173
Opcode Fuzzy Hash: ab10fb8ebab8557470662c45610ffbefb9e89a4115073b8617d9a7c9f987132b
Instruction Fuzzy Hash: 6F510AB4E042198FDB14CFA9C5809AEFBF6AF89314F14C169D418A7356DB34A942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07AE1441 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd869670c59079905187deae03ac6629540c1e41a5b6e5684508369bbc9429f9
Instruction ID: b1d3d7e1b45c118eda371549bc7c747a0af408f11593ed96c23dbaa1d9ecd620
Opcode Fuzzy Hash: cd869670c59079905187deae03ac6629540c1e41a5b6e5684508369bbc9429f9
Instruction Fuzzy Hash: 4541F5B0E1021ADBCB08CFAAD4815AEFBF6BF89310F14D12AD425A7354E7349A818F54

Uniqueness

Uniqueness Score: -1.00%

Function 07AE1450 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1720974629.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ba7fb379658413f9050210b05b9763c140f32672f353871e8c56d35a844f47
Instruction ID: 832e24d61a70a368b736213182094edf2f66a82c46191284c7c7715da008366a
Opcode Fuzzy Hash: 12ba7fb379658413f9050210b05b9763c140f32672f353871e8c56d35a844f47
Instruction Fuzzy Hash: 6F41E7B0E1121ADFDB44CFAAD4815AEFBF6BF89310F14D12AD425A7310E7349A418F54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Remittance_Advice 26042024.exePID: 7440, Parent PID: 7264COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	27
Total number of Limit Nodes:	6

Executed Functions

Function 01AB9C70 Relevance: 2.9, Instructions: 2861COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61962211dc12bd21205d2767155284afaf818ccce2132874190cae671ffa81e
Instruction ID: 377378eec34a049e05d790d611109f0d279106808548ea6f530e478df6697acd
Opcode Fuzzy Hash: c61962211dc12bd21205d2767155284afaf818ccce2132874190cae671ffa81e
Instruction Fuzzy Hash: 91630831D10B5A8ACB51EF68C8805E9F7B1FF99310F15D79AE45877221EB70AAC4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01AB94B8 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48988b7bd8ceebb6ca16ff9d631c4876f5f98e845cefc4ef2765e3a59e54dab6
Instruction ID: e44ffd45e456d3933e6d417ebae3dfebd8b6685900c44d1003df7990a1a603ca
Opcode Fuzzy Hash: 48988b7bd8ceebb6ca16ff9d631c4876f5f98e845cefc4ef2765e3a59e54dab6
Instruction Fuzzy Hash: CD32A074A002058FDB15CFA8D584AAEBBB6FF88314F148569EA09DB366DB34DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01AB4308 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f3c438df27c2e049b35c62c60512449f266500b8e4829f2cfce4bf694fbdb2
Instruction ID: baf4594e813e6792f6d4b817e1f98b78eb352be5e15c65e8c608c31c1ab5c95a
Opcode Fuzzy Hash: 12f3c438df27c2e049b35c62c60512449f266500b8e4829f2cfce4bf694fbdb2
Instruction Fuzzy Hash: 3FB16D70E00249CFDF14CFA9C9957EDBBF6AF8C314F188129D816A7256EB749846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01AB4BD8 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1da5ca42327dda91d45f01007ece24a62741a1f323cebbb1ac92fe2ec569b43
Instruction ID: 1687e0f96f344480228a3c8a70bed3547dc1fa60742d8319a23a0eeeffcb4494
Opcode Fuzzy Hash: c1da5ca42327dda91d45f01007ece24a62741a1f323cebbb1ac92fe2ec569b43
Instruction Fuzzy Hash: 25B14E70E002498FDB10CFA9C9C57EDBBF6AF4C714F188529E816A7296EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01AB3FC0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae4386b6d7bd2edc6b5c452eef7a0c27064bf1b7f2f43193af37e4d27e1a62d
Instruction ID: 3eaa15864cd27f0a6d8976d86cbec131cc0f0eb174fee65f8675509f7da2f089
Opcode Fuzzy Hash: fae4386b6d7bd2edc6b5c452eef7a0c27064bf1b7f2f43193af37e4d27e1a62d
Instruction Fuzzy Hash: 31915B70E00249DFDF14CFA9D9817DEBFF6AF88314F148129E41AA7256EB349885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01AB7018 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 01AB713C
LR^q, xrefs: 01AB704E

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: e7eac1f78e2313bd0b23464d9fa028da6f49064cd06a90ba21ea281ba5105cbd
Instruction ID: 3604a457832ec95a412952783e3074babec58a9a7194cb69ec3a0cce6d471005
Opcode Fuzzy Hash: e7eac1f78e2313bd0b23464d9fa028da6f49064cd06a90ba21ea281ba5105cbd
Instruction Fuzzy Hash: 7F419130A102459FDB1ADFB8D4947DEB7B6FF85300F24846AE405EB392DBB09C468B91

Uniqueness

Uniqueness Score: -1.00%

Function 068EE1E0 Relevance: 1.6, APIs: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.4163040768.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_68e0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c2842a6ecde911b251afdab658294342530be4d0afb7bdba4b168ae570806d
Instruction ID: cd5b234ea8db01b2c122bccd968107488499e464ea611a0e674e6773cc32cb4e
Opcode Fuzzy Hash: 09c2842a6ecde911b251afdab658294342530be4d0afb7bdba4b168ae570806d
Instruction Fuzzy Hash: FF414772D043569FCB04CFB9D8043AEBFF1AF99210F1885AAD448E7251DB749885CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 068ED5CC Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EE232), ref: 068EE31F

Memory Dump Source

Source File: 00000002.00000002.4163040768.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_68e0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d2f596f8b258d1e788e37a7a0bf8a3aac971eb448f37df18726bb4a099e91c90
Instruction ID: b1626f0ae5307194ea1ef4e2959c14bf01be6377d46b2e530ac6d6d3d45ddfcf
Opcode Fuzzy Hash: d2f596f8b258d1e788e37a7a0bf8a3aac971eb448f37df18726bb4a099e91c90
Instruction Fuzzy Hash: 8B1144B1C00659DBCB10CF9AC548BDEFBF4EB08320F10812AE818A7251D378A940CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 068EE2B0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EE232), ref: 068EE31F

Memory Dump Source

Source File: 00000002.00000002.4163040768.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_68e0000_Remittance_Advice 26042024.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e45ece7ecbb9765b7f4dcf3b1d18c49a865bc1c41a2dc050162f3cea990c8d87
Instruction ID: 114689f74a9923e89b09c00e8a5872e644a705321d2fcf6127264452a8d81a0d
Opcode Fuzzy Hash: e45ece7ecbb9765b7f4dcf3b1d18c49a865bc1c41a2dc050162f3cea990c8d87
Instruction Fuzzy Hash: 061144B1C00259DFCB10CF9AC548BDEFBF4AF48320F14816AD858A7250D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01ABF525 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

PH^q, xrefs: 01ABF673

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 35046532d9544279adc3ab7f494c15aad120886eaa1dc00773311a653dc342ab
Instruction ID: 3da4b8db8c57f2b4740e4607b234d60cb5541da9ce3eca5b4147f3ad9d40a88c
Opcode Fuzzy Hash: 35046532d9544279adc3ab7f494c15aad120886eaa1dc00773311a653dc342ab
Instruction Fuzzy Hash: F33124307002418FDB169F38D9A46AEBBF6AB85300F18452DD806DB3A6DF35DC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01ABF538 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 01ABF673

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: db40b61650211d2edf70e7291e874a63dd4698a646210e023464fd1d9d6dc9fb
Instruction ID: 058ec0e87ee37feae05447cb02aa1c6ac3c56b2ae119fe47ba9090acd72e28fb
Opcode Fuzzy Hash: db40b61650211d2edf70e7291e874a63dd4698a646210e023464fd1d9d6dc9fb
Instruction Fuzzy Hash: 6531D4307002458FDB169B38D9A46AEBBE6AB89340F28452DD406DB3A6DF35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01AB70B8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01AB713C

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: ea1250524e8941b7b21b861b6840aaaba41e4a5b7c9e3551d6ca606d187c6507
Instruction ID: be4c6aba35ea8c7c2a2ea43bc3cd60845d2e3df9fdbd5fb919a9d1534932f862
Opcode Fuzzy Hash: ea1250524e8941b7b21b861b6840aaaba41e4a5b7c9e3551d6ca606d187c6507
Instruction Fuzzy Hash: 18318530E102499BDF15CFA9D8847DEB7B6FF85310F144425E905EB291DBB09841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01AB6CC8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01AB6D17

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: bceaf9d89c4f68d87f86011c7ba78d2b27c3b6873f7f591f8d1749374e6a43de
Instruction ID: 27fa477ecf456f61c50c1f11414f5be6926d4a80b6a251eae41f64e7b8232335
Opcode Fuzzy Hash: bceaf9d89c4f68d87f86011c7ba78d2b27c3b6873f7f591f8d1749374e6a43de
Instruction Fuzzy Hash: 752146726042418FD741AB78D46439E3BBAEF85300B1844BBC54DCB766EE39CC468BD6

Uniqueness

Uniqueness Score: -1.00%

Function 01AB7A4A Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc39446f1fef9727f4b226100d35929921eab8a2383ca139172e461549d80aa
Instruction ID: 7acf01d10b48b59b93bc14a076d28220cc9617a97cc14fc2bfae7e2e839e1b11
Opcode Fuzzy Hash: acc39446f1fef9727f4b226100d35929921eab8a2383ca139172e461549d80aa
Instruction Fuzzy Hash: C6126E307003469FCB5B9B3CE4946687AAAFBC5341F544939E905CB3A5CF79EC868B90

Uniqueness

Uniqueness Score: -1.00%

Function 01AB42FC Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b126a105263321234ddf20231898ba0f198edd1fe2c4b3e7d6f840a1e22a209d
Instruction ID: 818602285d904781a560de35ea1a2e9a0995bf58b91caca68d8d0ddd8dba8e3d
Opcode Fuzzy Hash: b126a105263321234ddf20231898ba0f198edd1fe2c4b3e7d6f840a1e22a209d
Instruction Fuzzy Hash: B0B15B70E00299CFDF10CFA9C9957DDBBF5AF4C314F188129E81AA7256EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01AB4BCE Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a74c745d3f5a5f6ed627df8ebe3d84b1bc22e04ac2de965fb98f4568b6a384
Instruction ID: 0804290e4723b6daf964f5c3207e8ef27cea81e2c9b0a13bcb3c72bc023fd576
Opcode Fuzzy Hash: f3a74c745d3f5a5f6ed627df8ebe3d84b1bc22e04ac2de965fb98f4568b6a384
Instruction Fuzzy Hash: BEA15E70E002898FDB10CFA9C9C57EDBBF5BF4C714F148529E816A7296EB749885CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01AB94A4 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8323806c975074e4936f855acc5493a6aed301ea6cfb69d539830e02f35bb7f
Instruction ID: 27d43ebe7cb18ab73b62a5aa6ed40680ea2a8d2f0a3a6c268c7f06dee6c5e4d1
Opcode Fuzzy Hash: e8323806c975074e4936f855acc5493a6aed301ea6cfb69d539830e02f35bb7f
Instruction Fuzzy Hash: 24917E74A002088FCB15DF69D584AAEBBF6FF88314F148565EA06E7366DB34DC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AB3FB4 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004015627a36cdc8a733de1b6b3dd4b4fdaf749968fbcca83d7ed7dcb4fe52af
Instruction ID: 61a494fcd46a04c47eb3bb7553fb9f74b491364465599d0dc4c21d93071c19fc
Opcode Fuzzy Hash: 004015627a36cdc8a733de1b6b3dd4b4fdaf749968fbcca83d7ed7dcb4fe52af
Instruction Fuzzy Hash: 45915B70E00289DFDB10CFA9D9817DDBFF5AF88314F148129E81AA7256EB749885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01AB112A Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700d2961d92faf6b6332f8e8b3de2291ae76886aaa173d499e0392cff6a2daf0
Instruction ID: 442e947e9fb4422ce3042a9b5c6388224aaeb75017ba8ddc26a3cdd9c0ffc5f1
Opcode Fuzzy Hash: 700d2961d92faf6b6332f8e8b3de2291ae76886aaa173d499e0392cff6a2daf0
Instruction Fuzzy Hash: ED911A30341345EFCB06DB6CF998A59BF7AEB85300B0155A8D4045B3B9DB386D89DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01AB1138 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6789bdc410a7615d47824c7a547185c279c63eb5a407c45e902eff3dbce8cb49
Instruction ID: 4aee221131b67c193f359965fd1b18527db79e77ec83ada8b1428ffe8c8dc6fc
Opcode Fuzzy Hash: 6789bdc410a7615d47824c7a547185c279c63eb5a407c45e902eff3dbce8cb49
Instruction Fuzzy Hash: 95810B30341305EFCB06DB6CF998A59BB7AFB85300B0155A8D4045B3B9DB386D89DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01AB4950 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49d7af982a6412c9c811abaa296c3dd4943a022e10e9e7ea3d154493957d9b1
Instruction ID: 74dad1c8bc3e552de851119f8e97290d784aa138c6af274caf808341005a748b
Opcode Fuzzy Hash: e49d7af982a6412c9c811abaa296c3dd4943a022e10e9e7ea3d154493957d9b1
Instruction Fuzzy Hash: 05716BB0E002498FDB14CFA9C9807DEFBF6BF88714F148129E416A7256EB749842CB85

Uniqueness

Uniqueness Score: -1.00%

Function 01AB4944 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6974cb054adceaa295e0cd296461efd173fb7b7fffbe3c9e61eb74d497f965a
Instruction ID: fd400decd513029862aec7da6787704b83e1d9f860604b17b38fbbf90bc72131
Opcode Fuzzy Hash: b6974cb054adceaa295e0cd296461efd173fb7b7fffbe3c9e61eb74d497f965a
Instruction Fuzzy Hash: C3717AB0E002898FDB10CFA9C9817DEFFF5BF88714F188129E416A7256EB749845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01AB6E1D Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a487981a2031f3ef04a3b2301438dab964469c880eb73eda0a1e09d91d7e5d2
Instruction ID: 9b392cbc135dc0f3dbc3bb20bcb72c8a2082e6a25ab8de7d7eb42d1246337d61
Opcode Fuzzy Hash: 1a487981a2031f3ef04a3b2301438dab964469c880eb73eda0a1e09d91d7e5d2
Instruction Fuzzy Hash: DA51F3B0D002588FDB18CFA9C884BDEBBB5BF48714F548129E819BB392D774A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01AB6E28 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474f96d7319c6a785633bb0ea569136921db1846b934f10247feb69e6a4bbb51
Instruction ID: 0e2a6357f4d98ee00c90c7d84eabfe18cb9f2eb49e0bda3be87261207c51706a
Opcode Fuzzy Hash: 474f96d7319c6a785633bb0ea569136921db1846b934f10247feb69e6a4bbb51
Instruction Fuzzy Hash: 8B51F3B0D002588FDB18CFA9C884BDDBBB5BF48714F548119E819BB392D774A845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01AB9291 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc57498ddc44f729ae447cccb5f02be2419558aaf34b60e4bafbb40bd3e65c48
Instruction ID: 6a9418af0863942b7927ae1b5a06333b10b9f5399f0f609b8e83d190d77a80fb
Opcode Fuzzy Hash: fc57498ddc44f729ae447cccb5f02be2419558aaf34b60e4bafbb40bd3e65c48
Instruction Fuzzy Hash: D631E675E002458BDB19CFA8D4806DFBBBAEF89314F14852AE915EB382DB709846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AB14C0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce720efe6f9c5bee21cf4298563b0d765394f85cbccfbd99df3725e71eb6b8f
Instruction ID: 1f5cea35f5024c011a22aae96479378d491202995e6504f9883b423f9d0c4f7d
Opcode Fuzzy Hash: dce720efe6f9c5bee21cf4298563b0d765394f85cbccfbd99df3725e71eb6b8f
Instruction Fuzzy Hash: F131E170700345DFDB22977CF4A876C7B6AEB46350F180969E80AD7392CA39EC85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01ABF3E9 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2399298db99aa11605c71bef424f830ce7e1a28a2e1999e43fb1595c223dd5c5
Instruction ID: fe07a73d8e70e581248fbc56f84d18343de74f4821230db9ee48354c1b55fd67
Opcode Fuzzy Hash: 2399298db99aa11605c71bef424f830ce7e1a28a2e1999e43fb1595c223dd5c5
Instruction Fuzzy Hash: F3319031E002069FCB19DFA9D89469EB7B6FF89300F148919E906E7352DB34EC46CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01AB07F8 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16e20b51b235f1155fd432241e349f398801f58271c322931b50f78b6a73b80
Instruction ID: 877b7e88230aeaf0dbc06ea55b4566699fcafe428cfacba38e717e51dcb9d62e
Opcode Fuzzy Hash: b16e20b51b235f1155fd432241e349f398801f58271c322931b50f78b6a73b80
Instruction Fuzzy Hash: 8A31E832A042C44BDB23ABBCD6953EF7BB9EB42254F24447AE442DB253D561CD858BC1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB281C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422b6b06211cfb01b3a11fcaa59c7cc977da492b09d170617c52818c55e3b7cb
Instruction ID: fede12b6bfdfabfd0002eac0900c2dc5f5f0e1617101c2c2ce360c86fbcc414f
Opcode Fuzzy Hash: 422b6b06211cfb01b3a11fcaa59c7cc977da492b09d170617c52818c55e3b7cb
Instruction Fuzzy Hash: 1741DFB0D003899FDB10DFA9C580ADEBFF5FF48314F14842AE819AB264DB74A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01ABF3F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d43b6e5963f65ac783f963cf0d2cd8ef488f03197a5e6ce77349107c87a9a9
Instruction ID: 3c4ad150b3784369a41b75b74a422c7df9dc9214a2270574292c20ce19c73c39
Opcode Fuzzy Hash: a2d43b6e5963f65ac783f963cf0d2cd8ef488f03197a5e6ce77349107c87a9a9
Instruction Fuzzy Hash: 1B317034E102499FCF19DFA9D894A9EB7B6FF89300F148529E806E7352DB74AC46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AB2828 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21850193e95bfb99da25f16a503a08b7d7099b15dafb2856048f7107853730d
Instruction ID: f3a443fdaa6550830991e1ebdd8a329e1fc0e248923ce1850d3099c1fae5a722
Opcode Fuzzy Hash: b21850193e95bfb99da25f16a503a08b7d7099b15dafb2856048f7107853730d
Instruction Fuzzy Hash: E441CEB0D0034D9FDB14DFA9C984ADEBFF5BF48314F14802AE819AB264DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01AB15CA Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6e5a17baad54f0e83d6e7b9440b0c8115d5f03e273b1af493417142a410242
Instruction ID: 9ea64179def6ef43eb6561f74cc0ee0179fa923a265ea5f6b36fbe0b9a6a3cd5
Opcode Fuzzy Hash: 4b6e5a17baad54f0e83d6e7b9440b0c8115d5f03e273b1af493417142a410242
Instruction Fuzzy Hash: CF217171B002858FDF269B7CA5E42ED7BBDEB05250F18057AE806D7243E739D881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01AB938F Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00412fd6c41d7bb025fb9b7a19799fa949388a7ae5214239e6e6a9fd49ec43c3
Instruction ID: 33b4ce57663a85a09bd3b0399d6d9a64970e42dc6d92d755c8826e4e1c7576ca
Opcode Fuzzy Hash: 00412fd6c41d7bb025fb9b7a19799fa949388a7ae5214239e6e6a9fd49ec43c3
Instruction Fuzzy Hash: 18319371E0024A9BCB09CFA9D4906DFB7BAFF85304F148619E905EB352DB749885CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01AB17E0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 121b8177735b3aaf87378ff74265acc1f59f415319759c57c13bd5c5b7997d6f
Instruction ID: 71595fb7726b360c1043edb395b3f3e8eb7abfcd8fbb722a7002af82ae824d7a
Opcode Fuzzy Hash: 121b8177735b3aaf87378ff74265acc1f59f415319759c57c13bd5c5b7997d6f
Instruction Fuzzy Hash: 6C2192306002425FDB13D76CF8D87AA7769E745384F146921E80ACB267EB38DC858F92

Uniqueness

Uniqueness Score: -1.00%

Function 01AB93A0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334b4fd4a986261a339075624331ebe059a24d5e0e83caa8fae20e7ac0d87857
Instruction ID: 80e4ead3e593d94ee15547d738df60514fe777e60542761bdf3429ce66df9e67
Opcode Fuzzy Hash: 334b4fd4a986261a339075624331ebe059a24d5e0e83caa8fae20e7ac0d87857
Instruction Fuzzy Hash: F3219371E0024A9BCB05CFA9D4806DFF7B6FF85304F148619E905EB242DB749886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0156D1E4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4156966359.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_156d000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6235ebd0ec5afc850426d72487dc029e17b38590df9ae05a86552baa04afcc81
Instruction ID: de08d0844c61e24832c27c5be8af4253826d8de0ff1a5fe9ea021b865b903d9f
Opcode Fuzzy Hash: 6235ebd0ec5afc850426d72487dc029e17b38590df9ae05a86552baa04afcc81
Instruction Fuzzy Hash: 03212671604240DFDB01DF98D584B2ABBB9FB84324F24CA69D8894F256C37AD446CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D394 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4156966359.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_156d000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b00e1e8cbd545461d9026ae8e3aeb9ad25974c03ee3906087c4e0dfca33c15
Instruction ID: 59d4a97085bfb7e76745883d0aa9eb34192bd15584a60553729ea337c61a7f5f
Opcode Fuzzy Hash: 78b00e1e8cbd545461d9026ae8e3aeb9ad25974c03ee3906087c4e0dfca33c15
Instruction Fuzzy Hash: B521D371704244DFDB05DF58D5C0B2ABBB9FB84314F24C969D88A4F252C776E846CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4156966359.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_156d000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadb88b7a46546f51fa2c30b8a7ae11e8c00ca268b0bd073ced7096dd9ef5612
Instruction ID: 6caca3536799c28fcb039ef882e840af8c00e27c52f36bef280c115220f368f3
Opcode Fuzzy Hash: aadb88b7a46546f51fa2c30b8a7ae11e8c00ca268b0bd073ced7096dd9ef5612
Instruction Fuzzy Hash: CF210375604200DFCB15DF58D584B2ABBB9FB84324F20C969D8894F256D33BD446CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB92A0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfcd2f0e71c20d663f3f22d7b02655bc17d612f68b71c2e2648e30fa8df9cf3
Instruction ID: a939b417acf997a22bc482f7c97c71efa74fb6f8135f917f40decd9c0ba26556
Opcode Fuzzy Hash: bcfcd2f0e71c20d663f3f22d7b02655bc17d612f68b71c2e2648e30fa8df9cf3
Instruction Fuzzy Hash: C521D470E002469BCB09CFA8C490ADFF7B6BF89304F14851AE915FB381DB70A846CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01AB19C8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b904bddeefbefa730334e72160314bad728f3392ad5f511069cf54a545ec82d
Instruction ID: 27655de5725ac6f0065ff8d0ddebb6ce3bfb04abc36a755512e4572e0f9f0cbf
Opcode Fuzzy Hash: 3b904bddeefbefa730334e72160314bad728f3392ad5f511069cf54a545ec82d
Instruction Fuzzy Hash: F6213030700285CFDB14DB68E6A56EE77F9AF49204F1004ADD106EB3A1DB35DD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB50CA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571bb6c4aab4065f0afe8177b25bfb32f094a048f88d2e4466d9f9e0aa98ae04
Instruction ID: 1a588cad1e6bfbbc2c8c0b54decd8c419f1746e1f9efc790c6b4e198ecd36cb5
Opcode Fuzzy Hash: 571bb6c4aab4065f0afe8177b25bfb32f094a048f88d2e4466d9f9e0aa98ae04
Instruction Fuzzy Hash: 0A213B34B00245CFDB15DF78E699AAD7BF5BF49210F1000A8E406EB3A1DB359D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB17F0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 620156b66f2ac5b6d02b363a2f7296034b75448ce27f4547ba9734179905007f
Instruction ID: d32f9fdfac543c43320ab3c78203383853a8b8270c3ed2588c7b4cc6e151345f
Opcode Fuzzy Hash: 620156b66f2ac5b6d02b363a2f7296034b75448ce27f4547ba9734179905007f
Instruction Fuzzy Hash: 942151307102414FDB13D76CF8D879A775EFB49394F106925E90ACB266EB38DC858B92

Uniqueness

Uniqueness Score: -1.00%

Function 01AB19B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388568f0b89888b55a7a4d01766a082d7c7883dfddc3da026ba7385a08e54ec2
Instruction ID: 1e2b4fcaa7f49864be672e58921dc3f808c89c7c7c1a8119876c2c22cd858e8c
Opcode Fuzzy Hash: 388568f0b89888b55a7a4d01766a082d7c7883dfddc3da026ba7385a08e54ec2
Instruction Fuzzy Hash: DE212C31700285CFEB14DB68E6A56EE77F9EF49244F2004ADD106EB3A1DB359D41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB50D8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101c52069cf27f56721a14877fa0df03c32ba7ff293a59866bce45c7439c3dfc
Instruction ID: 2067ed332ec851093d5cba8c5783379da5014898e7231fc93c0b1ec42e437f7a
Opcode Fuzzy Hash: 101c52069cf27f56721a14877fa0df03c32ba7ff293a59866bce45c7439c3dfc
Instruction Fuzzy Hash: 8E213C34B00244CFDB15EB78E599A9D77F5FF49214F1000A8E506EB3A1DB369D04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d1586e31dcbc60ba47c0ad8b49362cd720eefb6d237622f57eb88ca4679181
Instruction ID: 0c01190223bf6c2b44c394d7f55c4b751361026f8ee8609642ba39c50050dcf5
Opcode Fuzzy Hash: d9d1586e31dcbc60ba47c0ad8b49362cd720eefb6d237622f57eb88ca4679181
Instruction Fuzzy Hash: 6F119D30B002448BDF669BBCD6843AF76BAEB45350F104939F406CF253DA65CE858BC1

Uniqueness

Uniqueness Score: -1.00%

Function 0156D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4156966359.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_156d000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75532f5658f495a87278a2259dae882042a4d0007c7645b434101fd987f2228
Instruction ID: daeddb4c91ae5272e7d09efb087f4099957c6e46ffe3420d3e30601af3fc7e3a
Opcode Fuzzy Hash: d75532f5658f495a87278a2259dae882042a4d0007c7645b434101fd987f2228
Instruction Fuzzy Hash: 532183755093808FD703CF24D594715BF71FB46214F28C5DAD8898F267C33A980ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01AB1900 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d4b9308b370fd27ad1fffe99a818d0a31a8d6b4d9b3aa600c5e766c9631890
Instruction ID: dacdef8593c9a008ba9ce55617bba4db7be90687f075ba6c5daabb46b32ac01b
Opcode Fuzzy Hash: 25d4b9308b370fd27ad1fffe99a818d0a31a8d6b4d9b3aa600c5e766c9631890
Instruction Fuzzy Hash: 93112931B102819FCB01AF78A84969E7FAAFB49254F140064ED49C3341EE3598028FD2

Uniqueness

Uniqueness Score: -1.00%

Function 01AB15D8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed3784b88e2e5c2c29f98c5822df3160393826788d3085f611943a1d1c7f202
Instruction ID: 07eecc1a711dbc1b2b31e4a115220a27cf1758002296fae05818dcd5cecb5f67
Opcode Fuzzy Hash: eed3784b88e2e5c2c29f98c5822df3160393826788d3085f611943a1d1c7f202
Instruction Fuzzy Hash: F7014071B012558FCF25EFBC95A01EEBBF9EF58250B180479E805E7202E735D9418BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0156D1DF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4156966359.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_156d000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction ID: abb42b1b7422e7150e0821e86cb0dcfc3edf77f26002edcc4877c6cf60928c0a
Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
Instruction Fuzzy Hash: C2119D76604280CFDB12CF54D5C4B1ABF71FB84224F28C6AAD8494F656C33AD40ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0156D38F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4156966359.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_156d000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 546738e5b70704b1358e6b1567494b6de546212b86940ad0184b99ff86a20561
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E511D075604280DFDB02CF54D5C4B59BF71FB84314F24CAA9D8494F652C37AE84ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 01AB99D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16ff276eb4a55bd58bc3de45150848fba56ed20284186d5571275bcca8debb2
Instruction ID: 4760d7274cff4a891e50fbd685bde5570592d42abdbdeff410f56743bb5a1c2e
Opcode Fuzzy Hash: a16ff276eb4a55bd58bc3de45150848fba56ed20284186d5571275bcca8debb2
Instruction Fuzzy Hash: 96019230A002058FDB04EF69D9C468ABBA5FF80310F54C274C90C5F29AEB70E94AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8230 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bb4331ef7f4ba7509a34972ca05a6533ca98b17a9b9d881dcf3654eb5d3323
Instruction ID: 6016586971e8d5d0915ea4201b0533466ead6da8479e6212a7ea5a9bc66bc33e
Opcode Fuzzy Hash: b7bb4331ef7f4ba7509a34972ca05a6533ca98b17a9b9d881dcf3654eb5d3323
Instruction Fuzzy Hash: 1B016730A1020DEFCB41EBACF990ADCBBF9EB84344F1062B5C5045B264DB355E459B55

Uniqueness

Uniqueness Score: -1.00%

Function 01AB1664 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36896ab9d3ae4176dc11f4969a565e7f266d0fc6a20e5377febee7844ccbc8c
Instruction ID: 87371b8f68903e7260d6dd756da5902b53b59d5278670e267b4c242ab002dca1
Opcode Fuzzy Hash: c36896ab9d3ae4176dc11f4969a565e7f266d0fc6a20e5377febee7844ccbc8c
Instruction Fuzzy Hash: B2F0F073A041908BDB228BA8A8F02ECBBB8EE6816175D00E7D805DB212E325D942C791

Uniqueness

Uniqueness Score: -1.00%

Function 01AB71D0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198a18623e3e3c9b4ff82001cdd2cb10741a6ad801001d6523588891e281866b
Instruction ID: 47e77f57fae14c0ce74b8535bfda150442b157b78ada8a5ac4ece1a9aab050c7
Opcode Fuzzy Hash: 198a18623e3e3c9b4ff82001cdd2cb10741a6ad801001d6523588891e281866b
Instruction Fuzzy Hash: B6F0C435B00204CFC718DB64D5A9A6D77B2EF89655F5440A8EA0ADB3A0DF35AD42CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01AB8240 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d9f80e9e6ee5c00a73d979f0a266d68fbdad226fb3148f70727cec589d579b
Instruction ID: 0a3fbfa304e0ff185e7385874828725b56faadab05c4ea8ae31d228f3550bc3e
Opcode Fuzzy Hash: 50d9f80e9e6ee5c00a73d979f0a266d68fbdad226fb3148f70727cec589d579b
Instruction Fuzzy Hash: 34F06830A0020EEFCB41EBBCF99499DB7F9EB84344F5052B9C8089B264DF356E459B95

Uniqueness

Uniqueness Score: -1.00%

Function 01ABD25D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4158124448.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ab0000_Remittance_Advice 26042024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e17d4cb59b35e7bcde109d86d1c601d8e9b1bd65f25640331436c138194af2
Instruction ID: 9d13887d87e818a22d2a42d355278bbf2762692b4fd5fca26301b09d2164e1f9
Opcode Fuzzy Hash: 21e17d4cb59b35e7bcde109d86d1c601d8e9b1bd65f25640331436c138194af2
Instruction Fuzzy Hash: 88F0A7B5A002055FDB44CFB9D8C4BBBBBB9EFC4320B44C195F948DB04AD6349846C764

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Remittance_Advice 26042024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance_Advice 26042024.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
Remittance_Advice 26042024.exe

Function 0175D368 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 0175D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07AEF944 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 07AEF950 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 0175ACE8 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Function 017558EC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 017544E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 07AEF6C1 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Function 0175D5B8 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 07AEF6C8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07AEF7B0 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Function 07AEF52A Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre