Windows Analysis Report
REMITTANCE COPY.exe

Overview

General Information

Sample Name: REMITTANCE COPY.exe
Analysis ID: 756282
MD5: e54ca4f235a6878e6c4913b4ddcba055
SHA1: b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
SHA256: 6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: REMITTANCE COPY.exe ReversingLabs: Detection: 21%
Source: REMITTANCE COPY.exe Virustotal: Detection: 49% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: REMITTANCE COPY.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 10.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 10.0.RegSvcs.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}
Uses 32bit PE files
Source: REMITTANCE COPY.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: REMITTANCE COPY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
Source: Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_02B27F18
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_02B27F09
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_02B294B0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_02B294C0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587
Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000013.00000002.565816116.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566299272.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://BUBAorlAmTfYEKM.org
Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://JXqRNJ.com
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 0000000A.00000003.404386589.00000000067EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571422388.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: REMITTANCE COPY.exe, 00000001.00000003.288469959.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com8
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.orogenicgroup-bd.com
Source: RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571466727.0000000005F56000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: REMITTANCE COPY.exe, 00000001.00000003.303771050.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303959941.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303624192.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303913362.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303859975.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303721912.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303668105.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.E
Source: REMITTANCE COPY.exe, 00000001.00000003.291989862.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: REMITTANCE COPY.exe, 00000001.00000003.293125528.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com4
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comK
Source: REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comOp8
Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comTyp
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.come-d
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comll
Source: REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comn
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comn-u
Source: REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.O
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comorm
Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comr
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.336773384.00000000014B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: REMITTANCE COPY.exe, 00000001.00000003.304551334.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298354512.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298303175.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: REMITTANCE COPY.exe, 00000001.00000003.299382446.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers9
Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers:
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersHr
Source: REMITTANCE COPY.exe, 00000001.00000003.304433086.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersVr
Source: REMITTANCE COPY.exe, 00000001.00000003.297651784.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersur
Source: REMITTANCE COPY.exe, 00000001.00000003.288206696.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288094280.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288042735.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comW
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cna-e8
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnava
Source: REMITTANCE COPY.exe, 00000001.00000003.291721850.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.291634809.0000000005D84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnf
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnft
Source: REMITTANCE COPY.exe, 00000001.00000003.291102483.0000000005D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cniUI
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnorm
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnormX
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/i-
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.335473766.0000000005D8F000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300945403.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.302829024.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.301785961.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346313308.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.305138593.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: REMITTANCE COPY.exe, 00000001.00000003.296476214.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com8
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comp
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnX
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cncro
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.orogenicgroup-bd.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
.NET source code contains very large array initializations
Source: 10.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.cs Large array initialization: .cctor: array initializer size 10971
Uses 32bit PE files
Source: REMITTANCE COPY.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B22B98 1_2_02B22B98
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B22788 1_2_02B22788
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B22F40 1_2_02B22F40
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B248E0 1_2_02B248E0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B268E8 1_2_02B268E8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B28468 1_2_02B28468
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B20040 1_2_02B20040
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B245B0 1_2_02B245B0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B26AD2 1_2_02B26AD2
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B20A30 1_2_02B20A30
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B20A23 1_2_02B20A23
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B24220 1_2_02B24220
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B24211 1_2_02B24211
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B22B88 1_2_02B22B88
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B22F30 1_2_02B22F30
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B22778 1_2_02B22778
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B248D0 1_2_02B248D0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B268DB 1_2_02B268DB
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B20006 1_2_02B20006
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B2459F 1_2_02B2459F
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B209D3 1_2_02B209D3
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B23939 1_2_02B23939
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B20540 1_2_02B20540
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B23948 1_2_02B23948
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_051EC5E4 1_2_051EC5E4
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_051EE8F8 1_2_051EE8F8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_051EE8E8 1_2_051EE8E8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_074F5F48 1_2_074F5F48
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_074F0560 1_2_074F0560
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_074FB570 1_2_074FB570
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_074F5F37 1_2_074F5F37
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_07500040 1_2_07500040
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_07500006 1_2_07500006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0189F780 10_2_0189F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0189FAC8 10_2_0189FAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0594C518 10_2_0594C518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_05940548 10_2_05940548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_05942638 10_2_05942638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0594D278 10_2_0594D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06894E28 10_2_06894E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0689E770 10_2_0689E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0689A4C0 10_2_0689A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068985B8 10_2_068985B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06890040 10_2_06890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0689D518 10_2_0689D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0689D578 10_2_0689D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068973D0 10_2_068973D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068E0D58 10_2_068E0D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068E5950 10_2_068E5950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068EA7D1 10_2_068EA7D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068E6089 10_2_068E6089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_068E6188 10_2_068E6188
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 05946F60 appears 52 times
Sample file is different than original file name gathered from version info
Source: REMITTANCE COPY.exe, 00000001.00000002.350779687.0000000007860000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000000.283146986.0000000000A02000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCassa.dll< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.342389295.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
Source: REMITTANCE COPY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FSmZIJwnxoJulr.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: REMITTANCE COPY.exe ReversingLabs: Detection: 21%
Source: REMITTANCE COPY.exe Virustotal: Detection: 49%
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe File read: C:\Users\user\Desktop\REMITTANCE COPY.exe Jump to behavior
Source: REMITTANCE COPY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\REMITTANCE COPY.exe C:\Users\user\Desktop\REMITTANCE COPY.exe
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe File created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe File created: C:\Users\user\AppData\Local\Temp\tmp72FE.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/9@2/1
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: RegSvcs.exe, 0000000A.00000002.434916098.0000000003682000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.565780443.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: REMITTANCE COPY.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Mutant created: \Sessions\1\BaseNamedObjects\DuSwhYmlPmBH
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Cryptographic APIs: 'CreateDecryptor'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Cryptographic APIs: 'CreateDecryptor'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Cryptographic APIs: 'CreateDecryptor'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: REMITTANCE COPY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: REMITTANCE COPY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: REMITTANCE COPY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
Source: Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs .Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs .Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs .Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B23754 pushfd ; ret 1_2_02B2375A
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B28CFB push eax; retf 1_2_02B28D01
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_02B28CF8 pushad ; retf 1_2_02B28CF9
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_051EB879 pushfd ; iretd 1_2_051EB885
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Code function: 1_2_07503616 push ebx; retf 1_2_07503617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0594F488 push esp; retf 10_2_0594F5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06890040 push es; iretd 10_2_06891304
Source: initial sample Static PE information: section name: .text entropy: 7.462745784487049
Source: initial sample Static PE information: section name: .text entropy: 7.462745784487049
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Drops PE files
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe File created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe TID: 1004 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe TID: 4668 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 4776 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5604 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9710
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99513 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99161 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99036 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98726 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98617 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98430 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98311 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98202 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98091 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97983 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97855 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97729 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97603 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97495 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97389 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97048 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96850 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96623 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96294 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95952 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95733 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95514 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95295 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95029 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94917 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94389 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94261 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93694 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93557 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 93426 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95499
Source: RegSvcs.exe, 00000013.00000002.570894397.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Enables debug privileges
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06896BF8 LdrInitializeThunk, 10_2_06896BF8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11DB008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7C0008 Jump to behavior
.NET source code references suspicious native API functions
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/C1.cs Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/e2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Users\user\Desktop\REMITTANCE COPY.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation