Windows Analysis Report remmittance copy.exe

Overview

General Information

Sample Name: remmittance copy.exe
Analysis ID: 510735
MD5: c039d3d94f0cc82369c066e26a67e0f6
SHA1: 79519d3cbee4d7af49cf1572ed9a5fa87b2186fe
SHA256: 219816561a364b4e85a344de1a4d7c7f74a01068f9a51bbb7e3101c9c9dd05ac
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to detect virtual machines (SLDT)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.0.remmittance copy.exe.400000.10.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1373897190", "Chat URL": "https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument"}
Source: remmittance copy.exe.3864.5.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendMessage"}
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.remmittance copy.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.remmittance copy.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.remmittance copy.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 5.2.remmittance copy.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.remmittance copy.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.remmittance copy.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: remmittance copy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49848 version: TLS 1.2
Source: remmittance copy.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d999ffec9f8e5bHost: api.telegram.orgContent-Length: 1004Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp String found in binary or memory: http://NoCGvF.com
Source: remmittance copy.exe, 00000005.00000002.925105112.0000000003512000.00000004.00000001.sdmp String found in binary or memory: http://api.telegram.org
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: remmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: remmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comcomm
Source: remmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.commna
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org
Source: remmittance copy.exe, 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/
Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument
Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocumentdocument-----
Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org4.l
Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp String found in binary or memory: https://qEv5A6okmkiAozFZ9P4.org
Source: remmittance copy.exe, 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown HTTP traffic detected: POST /bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d999ffec9f8e5bHost: api.telegram.orgContent-Length: 1004Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49848 version: TLS 1.2

System Summary:

barindex
.NET source code contains very large array initializations
Source: 5.0.remmittance copy.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b7C91D473u002d0DDAu002d4702u002d9A20u002d92CE3F18005Du007d/u003583F6263u002dB84Eu002d47F2u002d98C9u002dCCA7257F7A36.cs Large array initialization: .cctor: array initializer size 12005
Source: 5.0.remmittance copy.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b7C91D473u002d0DDAu002d4702u002d9A20u002d92CE3F18005Du007d/u003583F6263u002dB84Eu002d47F2u002d98C9u002dCCA7257F7A36.cs Large array initialization: .cctor: array initializer size 12005
Source: 5.0.remmittance copy.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b7C91D473u002d0DDAu002d4702u002d9A20u002d92CE3F18005Du007d/u003583F6263u002dB84Eu002d47F2u002d98C9u002dCCA7257F7A36.cs Large array initialization: .cctor: array initializer size 12005
Uses 32bit PE files
Source: remmittance copy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_006B946A 0_2_006B946A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_006B943A 0_2_006B943A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_006B9353 0_2_006B9353
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_04ECCE94 0_2_04ECCE94
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_04EC4920 0_2_04EC4920
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_04EC4910 0_2_04EC4910
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_0501C408 0_2_0501C408
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_0501C3F8 0_2_0501C3F8
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 4_2_00149353 4_2_00149353
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 4_2_0014943A 4_2_0014943A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 4_2_0014946A 4_2_0014946A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00C29353 5_2_00C29353
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00C2946A 5_2_00C2946A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00C2943A 5_2_00C2943A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC51D0 5_2_00DC51D0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC94E0 5_2_00DC94E0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC0DF8 5_2_00DC0DF8
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DCBE98 5_2_00DCBE98
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC09E0 5_2_00DC09E0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC9B78 5_2_00DC9B78
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DCE760 5_2_00DCE760
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DDB5A8 5_2_00DDB5A8
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DD2D50 5_2_00DD2D50
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DD2618 5_2_00DD2618
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DD1FE0 5_2_00DD1FE0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DDA770 5_2_00DDA770
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DD9DB8 5_2_00DD9DB8
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DEA074 5_2_00DEA074
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE7950 5_2_00DE7950
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE1BD0 5_2_00DE1BD0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE87F8 5_2_00DE87F8
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DEDB1E 5_2_00DEDB1E
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE30F8 5_2_00DE30F8
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE19B0 5_2_00DE19B0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE59A0 5_2_00DE59A0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE1157 5_2_00DE1157
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_02FC47A0 5_2_02FC47A0
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_02FC4790 5_2_02FC4790
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DDB660 5_2_00DDB660
Sample file is different than original file name gathered from version info
Source: remmittance copy.exe, 00000000.00000000.658275489.000000000071A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTaskNode.dll4 vs remmittance copy.exe
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamepkWOHfaeoUgOQtOOIIrYvXqkodqITNMscRuGJ.exe4 vs remmittance copy.exe
Source: remmittance copy.exe, 00000004.00000000.674939754.00000000001AA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
Source: remmittance copy.exe, 00000005.00000000.678550597.0000000000C8A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
Source: remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamepkWOHfaeoUgOQtOOIIrYvXqkodqITNMscRuGJ.exe4 vs remmittance copy.exe
Source: remmittance copy.exe, 00000005.00000002.923372714.00000000010F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs remmittance copy.exe
Source: remmittance copy.exe Binary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
PE file contains strange resources
Source: remmittance copy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: remmittance copy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: remmittance copy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\remmittance copy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\remmittance copy.exe 'C:\Users\user\Desktop\remmittance copy.exe'
Source: C:\Users\user\Desktop\remmittance copy.exe Process created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
Source: C:\Users\user\Desktop\remmittance copy.exe Process created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
Source: C:\Users\user\Desktop\remmittance copy.exe Process created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\remmittance copy.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remmittance copy.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
Source: C:\Users\user\Desktop\remmittance copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: remmittance copy.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: 5.0.remmittance copy.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.remmittance copy.exe.400000.10.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.remmittance copy.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.remmittance copy.exe.400000.6.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.remmittance copy.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.remmittance copy.exe.400000.8.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\remmittance copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: remmittance copy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: remmittance copy.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: remmittance copy.exe, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.remmittance copy.exe.6b0000.0.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.remmittance copy.exe.6b0000.0.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.remmittance copy.exe.140000.3.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.remmittance copy.exe.140000.1.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.remmittance copy.exe.140000.0.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.remmittance copy.exe.140000.0.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.remmittance copy.exe.140000.2.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.remmittance copy.exe.c20000.13.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.remmittance copy.exe.c20000.1.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.remmittance copy.exe.c20000.3.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.remmittance copy.exe.c20000.0.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.remmittance copy.exe.c20000.9.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.remmittance copy.exe.c20000.2.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.remmittance copy.exe.c20000.1.unpack, ShallowThought/GameEngine.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_07853D90 push esp; retf 0_2_07853D91
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_07853952 pushfd ; iretd 0_2_07853955
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC2877 push ebx; ret 5_2_00DC287A
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC1B9A push edx; retf 5_2_00DC1B9B
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DD7A37 push edi; retn 0000h 5_2_00DD7A39
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DE030B push 8BFFFFFFh; retf 5_2_00DE0318
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_02FCCF71 push esp; iretd 5_2_02FCCF7D
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_02FCDB4D push FFFFFF8Bh; iretd 5_2_02FCDB5B
Source: initial sample Static PE information: section name: .text entropy: 7.80880242174

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\remmittance copy.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.remmittance copy.exe.2a2c9d4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\remmittance copy.exe TID: 6340 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe TID: 1440 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe TID: 588 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe TID: 5348 Thread sleep count: 379 > 30 Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe TID: 5348 Thread sleep count: 9484 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\remmittance copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\remmittance copy.exe Window / User API: threadDelayed 379 Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Window / User API: threadDelayed 9484 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 0_2_006B7AAF sldt word ptr [eax] 0_2_006B7AAF
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\remmittance copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\remmittance copy.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: remmittance copy.exe, 00000005.00000002.923688399.000000000136F000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnitoG
Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\remmittance copy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\remmittance copy.exe Code function: 5_2_00DC0DF8 LdrInitializeThunk, 5_2_00DC0DF8
Source: C:\Users\user\Desktop\remmittance copy.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\remmittance copy.exe Memory written: C:\Users\user\Desktop\remmittance copy.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\remmittance copy.exe Process created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Process created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe Jump to behavior
Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Users\user\Desktop\remmittance copy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Users\user\Desktop\remmittance copy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Telegram RAT
Source: Yara match File source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 5.0.remmittance copy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.remmittance copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.remmittance copy.exe.3b39030.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.679389493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.923014189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\remmittance copy.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\remmittance copy.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Telegram RAT
Source: Yara match File source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 5.0.remmittance copy.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.remmittance copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.remmittance copy.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.remmittance copy.exe.3b39030.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.679389493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.923014189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510735 Sample: remmittance copy.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 17 Found malware configuration 2->17 19 Yara detected AgentTesla 2->19 21 Yara detected Telegram RAT 2->21 23 7 other signatures 2->23 6 remmittance copy.exe 3 2->6         started        process3 signatures4 25 Injects a PE file into a foreign processes 6->25 9 remmittance copy.exe 15 2 6->9         started        13 remmittance copy.exe 6->13         started        process5 dnsIp6 15 api.telegram.org 149.154.167.220, 443, 49848 TELEGRAMRU United Kingdom 9->15 27 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->27 29 Tries to steal Mail credentials (via file access) 9->29 31 Tries to harvest and steal ftp login credentials 9->31 33 Tries to harvest and steal browser information (history, passwords, etc) 9->33 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument false
    		high