Edit tour

Windows Analysis Report
REMITTANCE COPY.exe

Overview

General Information

Sample Name:	REMITTANCE COPY.exe
Analysis ID:	756282
MD5:	e54ca4f235a6878e6c4913b4ddcba055
SHA1:	b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
SHA256:	6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

REMITTANCE COPY.exe (PID: 2820 cmdline: C:\Users\user\Desktop\REMITTANCE COPY.exe MD5: E54CA4F235A6878E6C4913B4DDCBA055)

schtasks.exe (PID: 5524 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5924 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

FSmZIJwnxoJulr.exe (PID: 3804 cmdline: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe MD5: E54CA4F235A6878E6C4913B4DDCBA055)

schtasks.exe (PID: 5020 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 2316 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

RegSvcs.exe (PID: 5856 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)

yGbzOMp.exe (PID: 5256 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

yGbzOMp.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31d44:$a13: get_DnsResolver 0x3043b:$a20: get_LastAccessed 0x32772:$a27: set_InternalServerPort 0x32aa7:$a30: set_GuidMasterKey 0x3054d:$a33: get_Clipboard 0x3055b:$a34: get_Keyboard 0x31928:$a35: get_ShiftKeyDown 0x31939:$a36: get_AltKeyDown 0x30568:$a37: get_Password 0x31083:$a38: get_PasswordHash 0x321a6:$a39: get_DefaultCredentials
00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x15b2e4:$a13: get_DnsResolver 0x191904:$a13: get_DnsResolver 0x1599db:$a20: get_LastAccessed 0x18fffb:$a20: get_LastAccessed 0x15bd12:$a27: set_InternalServerPort 0x192332:$a27: set_InternalServerPort 0x15c047:$a30: set_GuidMasterKey 0x192667:$a30: set_GuidMasterKey 0x159aed:$a33: get_Clipboard 0x19010d:$a33: get_Clipboard 0x159afb:$a34: get_Keyboard 0x19011b:$a34: get_Keyboard 0x15aec8:$a35: get_ShiftKeyDown 0x1914e8:$a35: get_ShiftKeyDown 0x15aed9:$a36: get_AltKeyDown 0x1914f9:$a36: get_AltKeyDown 0x159b08:$a37: get_Password 0x190128:$a37: get_Password 0x15a623:$a38: get_PasswordHash 0x190c43:$a38: get_PasswordHash 0x15b746:$a39: get_DefaultCredentials
Process Memory Space: REMITTANCE COPY.exe PID: 2820	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: REMITTANCE COPY.exe PID: 2820	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: REMITTANCE COPY.exe PID: 2820	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1539fe:$a13: get_DnsResolver 0x1527b4:$a20: get_LastAccessed 0x1541b0:$a27: set_InternalServerPort 0x154384:$a30: set_GuidMasterKey 0x1528a1:$a33: get_Clipboard 0x1528af:$a34: get_Keyboard 0x153730:$a35: get_ShiftKeyDown 0x153741:$a36: get_AltKeyDown 0x1528bc:$a37: get_Password 0x153097:$a38: get_PasswordHash 0x153d3b:$a39: get_DefaultCredentials
Process Memory Space: RegSvcs.exe PID: 5924	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5924	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x234f2:$a13: get_DnsResolver 0x21e49:$a20: get_LastAccessed 0x23ecf:$a27: set_InternalServerPort 0x24136:$a30: set_GuidMasterKey 0x21f44:$a33: get_Clipboard 0x21f52:$a34: get_Keyboard 0x23172:$a35: get_ShiftKeyDown 0x23183:$a36: get_AltKeyDown 0x21f5f:$a37: get_Password 0x229d6:$a38: get_PasswordHash 0x23928:$a39: get_DefaultCredentials
Process Memory Space: RegSvcs.exe PID: 5856	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5856	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
10.0.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a83:$s10: logins 0x344fd:$s11: credential 0x3074d:$g1: get_Clipboard 0x3075b:$g2: get_Keyboard 0x30768:$g3: get_Password 0x31b18:$g4: get_CtrlKeyDown 0x31b28:$g5: get_ShiftKeyDown 0x31b39:$g6: get_AltKeyDown
10.0.RegSvcs.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f44:$a13: get_DnsResolver 0x3063b:$a20: get_LastAccessed 0x32972:$a27: set_InternalServerPort 0x32ca7:$a30: set_GuidMasterKey 0x3074d:$a33: get_Clipboard 0x3075b:$a34: get_Keyboard 0x31b28:$a35: get_ShiftKeyDown 0x31b39:$a36: get_AltKeyDown 0x30768:$a37: get_Password 0x31283:$a38: get_PasswordHash 0x323a6:$a39: get_DefaultCredentials
1.2.REMITTANCE COPY.exe.3f453a0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.REMITTANCE COPY.exe.3f453a0.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.REMITTANCE COPY.exe.3f453a0.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c83:$s10: logins 0x326fd:$s11: credential 0x2e94d:$g1: get_Clipboard 0x2e95b:$g2: get_Keyboard 0x2e968:$g3: get_Password 0x2fd18:$g4: get_CtrlKeyDown 0x2fd28:$g5: get_ShiftKeyDown 0x2fd39:$g6: get_AltKeyDown
1.2.REMITTANCE COPY.exe.3f453a0.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30144:$a13: get_DnsResolver 0x2e83b:$a20: get_LastAccessed 0x30b72:$a27: set_InternalServerPort 0x30ea7:$a30: set_GuidMasterKey 0x2e94d:$a33: get_Clipboard 0x2e95b:$a34: get_Keyboard 0x2fd28:$a35: get_ShiftKeyDown 0x2fd39:$a36: get_AltKeyDown 0x2e968:$a37: get_Password 0x2f483:$a38: get_PasswordHash 0x305a6:$a39: get_DefaultCredentials
11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x29eb8:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x29efc:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x29f44:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a1d0:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x2a234:$s2: Set-MpPreference -DisableArchiveScanning $true 0x2a28c:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x2a2e4:$s4: Set-MpPreference -DisableScriptScanning $true 0x2a330:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x2a370:$s6: Set-MpPreference -MAPSReporting 0 0x2a3bc:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x2a414:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x2a464:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x2a4b4:$s10: Set-MpPreference -SevereThreatDefaultAction 6
1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x29eb8:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x29efc:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x29f44:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x2a1d0:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x2a234:$s2: Set-MpPreference -DisableArchiveScanning $true 0x2a28c:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x2a2e4:$s4: Set-MpPreference -DisableScriptScanning $true 0x2a330:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x2a370:$s6: Set-MpPreference -MAPSReporting 0 0x2a3bc:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x2a414:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x2a464:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x2a4b4:$s10: Set-MpPreference -SevereThreatDefaultAction 6
1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a83:$s10: logins 0x6b0a3:$s10: logins 0x344fd:$s11: credential 0x6ab1d:$s11: credential 0x3074d:$g1: get_Clipboard 0x66d6d:$g1: get_Clipboard 0x3075b:$g2: get_Keyboard 0x66d7b:$g2: get_Keyboard 0x30768:$g3: get_Password 0x66d88:$g3: get_Password 0x31b18:$g4: get_CtrlKeyDown 0x68138:$g4: get_CtrlKeyDown 0x31b28:$g5: get_ShiftKeyDown 0x68148:$g5: get_ShiftKeyDown 0x31b39:$g6: get_AltKeyDown 0x68159:$g6: get_AltKeyDown
1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f44:$a13: get_DnsResolver 0x68564:$a13: get_DnsResolver 0x3063b:$a20: get_LastAccessed 0x66c5b:$a20: get_LastAccessed 0x32972:$a27: set_InternalServerPort 0x68f92:$a27: set_InternalServerPort 0x32ca7:$a30: set_GuidMasterKey 0x692c7:$a30: set_GuidMasterKey 0x3074d:$a33: get_Clipboard 0x66d6d:$a33: get_Clipboard 0x3075b:$a34: get_Keyboard 0x66d7b:$a34: get_Keyboard 0x31b28:$a35: get_ShiftKeyDown 0x68148:$a35: get_ShiftKeyDown 0x31b39:$a36: get_AltKeyDown 0x68159:$a36: get_AltKeyDown 0x30768:$a37: get_Password 0x66d88:$a37: get_Password 0x31283:$a38: get_PasswordHash 0x678a3:$a38: get_PasswordHash 0x323a6:$a39: get_DefaultCredentials
1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xe00d3:$s10: logins 0x1166f3:$s10: logins 0xdfb4d:$s11: credential 0x11616d:$s11: credential 0xdbd9d:$g1: get_Clipboard 0x1123bd:$g1: get_Clipboard 0xdbdab:$g2: get_Keyboard 0x1123cb:$g2: get_Keyboard 0xdbdb8:$g3: get_Password 0x1123d8:$g3: get_Password 0xdd168:$g4: get_CtrlKeyDown 0x113788:$g4: get_CtrlKeyDown 0xdd178:$g5: get_ShiftKeyDown 0x113798:$g5: get_ShiftKeyDown 0xdd189:$g6: get_AltKeyDown 0x1137a9:$g6: get_AltKeyDown
1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xdd594:$a13: get_DnsResolver 0x113bb4:$a13: get_DnsResolver 0xdbc8b:$a20: get_LastAccessed 0x1122ab:$a20: get_LastAccessed 0xddfc2:$a27: set_InternalServerPort 0x1145e2:$a27: set_InternalServerPort 0xde2f7:$a30: set_GuidMasterKey 0x114917:$a30: set_GuidMasterKey 0xdbd9d:$a33: get_Clipboard 0x1123bd:$a33: get_Clipboard 0xdbdab:$a34: get_Keyboard 0x1123cb:$a34: get_Keyboard 0xdd178:$a35: get_ShiftKeyDown 0x113798:$a35: get_ShiftKeyDown 0xdd189:$a36: get_AltKeyDown 0x1137a9:$a36: get_AltKeyDown 0xdbdb8:$a37: get_Password 0x1123d8:$a37: get_Password 0xdc8d3:$a38: get_PasswordHash 0x112ef3:$a38: get_PasswordHash 0xdd9f6:$a39: get_DefaultCredentials
Click to see the 13 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 2820, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp, ProcessId: 5524, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: REMITTANCE COPY.exe	ReversingLabs: Detection: 21%
Source: REMITTANCE COPY.exe	Virustotal: Detection: 49%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: REMITTANCE COPY.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

Joe Sandbox ML: detected

Source: 10.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 10.0.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Source: REMITTANCE COPY.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: REMITTANCE COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
Source:	Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
Source:	Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B27F18
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B27F09
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B294B0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B294C0

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587

Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000013.00000002.565816116.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566299272.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://BUBAorlAmTfYEKM.org
Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://JXqRNJ.com
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 0000000A.00000003.404386589.00000000067EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571422388.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: REMITTANCE COPY.exe, 00000001.00000003.288469959.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com8
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.orogenicgroup-bd.com
Source: RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571466727.0000000005F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: REMITTANCE COPY.exe, 00000001.00000003.303771050.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303959941.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303624192.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303913362.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303859975.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303721912.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303668105.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.E
Source: REMITTANCE COPY.exe, 00000001.00000003.291989862.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: REMITTANCE COPY.exe, 00000001.00000003.293125528.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com4
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comK
Source: REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comOp8
Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTyp
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.come-d
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comll
Source: REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.O
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comorm
Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comr
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.336773384.00000000014B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: REMITTANCE COPY.exe, 00000001.00000003.304551334.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298354512.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298303175.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: REMITTANCE COPY.exe, 00000001.00000003.299382446.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers9
Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersHr
Source: REMITTANCE COPY.exe, 00000001.00000003.304433086.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersVr
Source: REMITTANCE COPY.exe, 00000001.00000003.297651784.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersur
Source: REMITTANCE COPY.exe, 00000001.00000003.288206696.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288094280.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288042735.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comW
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-e8
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnava
Source: REMITTANCE COPY.exe, 00000001.00000003.291721850.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.291634809.0000000005D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnf
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnft
Source: REMITTANCE COPY.exe, 00000001.00000003.291102483.0000000005D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cniUI
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnorm
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnormX
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/i-
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.335473766.0000000005D8F000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300945403.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.302829024.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.301785961.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346313308.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.305138593.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: REMITTANCE COPY.exe, 00000001.00000003.296476214.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com8
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comp
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnX
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cncro
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.orogenicgroup-bd.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 10.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.cs

Large array initialization: .cctor: array initializer size 10971

Source: REMITTANCE COPY.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22B98	1_2_02B22B98
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22788	1_2_02B22788
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22F40	1_2_02B22F40
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B248E0	1_2_02B248E0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B268E8	1_2_02B268E8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B28468	1_2_02B28468
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20040	1_2_02B20040
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B245B0	1_2_02B245B0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B26AD2	1_2_02B26AD2
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20A30	1_2_02B20A30
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20A23	1_2_02B20A23
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B24220	1_2_02B24220
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B24211	1_2_02B24211
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22B88	1_2_02B22B88
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22F30	1_2_02B22F30
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22778	1_2_02B22778
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B248D0	1_2_02B248D0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B268DB	1_2_02B268DB
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20006	1_2_02B20006
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B2459F	1_2_02B2459F
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B209D3	1_2_02B209D3
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B23939	1_2_02B23939
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20540	1_2_02B20540
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B23948	1_2_02B23948
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EC5E4	1_2_051EC5E4
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EE8F8	1_2_051EE8F8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EE8E8	1_2_051EE8E8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074F5F48	1_2_074F5F48
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074F0560	1_2_074F0560
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074FB570	1_2_074FB570
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074F5F37	1_2_074F5F37
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_07500040	1_2_07500040
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_07500006	1_2_07500006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0189F780	10_2_0189F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0189FAC8	10_2_0189FAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0594C518	10_2_0594C518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_05940548	10_2_05940548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_05942638	10_2_05942638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0594D278	10_2_0594D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06894E28	10_2_06894E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689E770	10_2_0689E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689A4C0	10_2_0689A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068985B8	10_2_068985B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06890040	10_2_06890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689D518	10_2_0689D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689D578	10_2_0689D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068973D0	10_2_068973D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E0D58	10_2_068E0D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E5950	10_2_068E5950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068EA7D1	10_2_068EA7D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E6089	10_2_068E6089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E6188	10_2_068E6188

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 05946F60 appears 52 times

Source: REMITTANCE COPY.exe, 00000001.00000002.350779687.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000000.283146986.0000000000A02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.342389295.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe	Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: REMITTANCE COPY.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FSmZIJwnxoJulr.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: REMITTANCE COPY.exe	ReversingLabs: Detection: 21%
Source: REMITTANCE COPY.exe	Virustotal: Detection: 49%

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

File read: C:\Users\user\Desktop\REMITTANCE COPY.exe

Jump to behavior

Source: REMITTANCE COPY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REMITTANCE COPY.exe C:\Users\user\Desktop\REMITTANCE COPY.exe
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

File created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

Jump to behavior

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

File created: C:\Users\user\AppData\Local\Temp\tmp72FE.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/9@2/1

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: RegSvcs.exe, 0000000A.00000002.434916098.0000000003682000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.565780443.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: REMITTANCE COPY.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Mutant created: \Sessions\1\BaseNamedObjects\DuSwhYmlPmBH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: REMITTANCE COPY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: REMITTANCE COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: REMITTANCE COPY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
Source:	Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
Source:	Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B23754 pushfd ; ret	1_2_02B2375A
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B28CFB push eax; retf	1_2_02B28D01
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B28CF8 pushad ; retf	1_2_02B28CF9
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EB879 pushfd ; iretd	1_2_051EB885
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_07503616 push ebx; retf	1_2_07503617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0594F488 push esp; retf	10_2_0594F5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06890040 push es; iretd	10_2_06891304

Source: initial sample	Static PE information: section name: .text entropy: 7.462745784487049
Source: initial sample	Static PE information: section name: .text entropy: 7.462745784487049

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	File created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe TID: 1004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe TID: 4668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 4776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9841			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9710

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99513	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99161	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99036	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98726	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98430	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98311	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97983	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97855	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97603	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97495	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97048	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96850	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96623	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96294	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95952	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95733	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95295	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95029	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94917	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94261	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93694	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93557	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93426	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98745
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95499

Source: RegSvcs.exe, 00000013.00000002.570894397.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_06896BF8 LdrInitializeThunk,

10_2_06896BF8

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11DB008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7C0008	Jump to behavior

.NET source code references suspicious native API functions

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/C1.cs	Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/e2.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Users\user\Desktop\REMITTANCE COPY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Queries volume information: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 10_2_059454C0 GetUserNameW,

10_2_059454C0

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	211 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Account Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	4 Obfuscated Files or Information	Security Account Manager	114 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	23 Software Packing	NTDS	311 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	211 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
REMITTANCE COPY.exe	22%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
REMITTANCE COPY.exe	49%	Virustotal		Browse
REMITTANCE COPY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	22%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
10.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sajatypeworks.com8	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.carterandcone.com4	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnorm	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.founder.com.cn/cnf	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comK	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://microsoft.co	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.carterandcone.comr	0%	URL Reputation	safe
http://www.fonts.comW	0%	URL Reputation	safe
http://www.carterandcone.comn	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comorm	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.zhongyicts.com.cnX	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cncro	0%	Avira URL Cloud	safe
http://www.carterandcone.como.O	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnava	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cniUI	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comp	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/i-	0%	Avira URL Cloud	safe
http://BUBAorlAmTfYEKM.org	0%	Avira URL Cloud	safe
http://mail.orogenicgroup-bd.com	0%	Avira URL Cloud	safe
http://www.carterandcone.comll	0%	Avira URL Cloud	safe
http://www.carterandcone.come-d	0%	Avira URL Cloud	safe
http://www.agfamonotype.E	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cna-e8	0%	Avira URL Cloud	safe
http://fontfabrik.com8	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnormX	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnft	0%	Avira URL Cloud	safe
http://www.carterandcone.comOp8	0%	Avira URL Cloud	safe
http://www.carterandcone.comTyp	0%	Avira URL Cloud	safe
http://JXqRNJ.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.orogenicgroup-bd.com	119.148.27.3	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cncro	REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comn-u	REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com8	REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	REMITTANCE COPY.exe, 00000001.00000003.304551334.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.com4	REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	REMITTANCE COPY.exe, 00000001.00000003.293125528.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnorm	REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.335473766.0000000005D8F000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300945403.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.302829024.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.301785961.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346313308.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.305138593.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cniUI	REMITTANCE COPY.exe, 00000001.00000003.291102483.0000000005D91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersVr	REMITTANCE COPY.exe, 00000001.00000003.304433086.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	REMITTANCE COPY.exe, 00000001.00000003.288206696.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288094280.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288042735.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnf	REMITTANCE COPY.exe, 00000001.00000003.291721850.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.291634809.0000000005D84000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnava	REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comK	REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	REMITTANCE COPY.exe, 00000001.00000003.291989862.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.como.O	REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.336773384.00000000014B7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.comp	REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersHr	REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/i-	REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://microsoft.co	RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571466727.0000000005F56000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.orogenicgroup-bd.com	RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://BUBAorlAmTfYEKM.org	RegSvcs.exe, 00000013.00000002.565816116.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566299272.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comr	REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comll	REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comW	REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comn	REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.come-d	REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.agfamonotype.E	REMITTANCE COPY.exe, 00000001.00000003.303771050.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303959941.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303624192.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303913362.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303859975.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303721912.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303668105.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cna-e8	REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com8	REMITTANCE COPY.exe, 00000001.00000003.288469959.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comorm	REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.	REMITTANCE COPY.exe, 00000001.00000003.296476214.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnX	REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnormX	REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnft	REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTyp	REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://JXqRNJ.com	RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers9	REMITTANCE COPY.exe, 00000001.00000003.299382446.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersur	REMITTANCE COPY.exe, 00000001.00000003.297651784.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cno.	REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298354512.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298303175.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers:	REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.comOp8	REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
119.148.27.3	mail.orogenicgroup-bd.com	Bangladesh		23923	AGNI-ASAgniSystemsLimitedBD	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756282
Start date and time:	2022-11-29 23:18:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	REMITTANCE COPY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/9@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 262 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:19:13	API Interceptor	1x Sleep call for process: REMITTANCE COPY.exe modified
23:19:21	Task Scheduler	Run new task: FSmZIJwnxoJulr path: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
23:19:26	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
23:19:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
23:19:42	API Interceptor	357x Sleep call for process: RegSvcs.exe modified
23:19:47	API Interceptor	1x Sleep call for process: FSmZIJwnxoJulr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
119.148.27.3	PURCHASE ORDER.exe	Get hash	malicious	Browse
	SWIFT REFERENCE.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.orogenicgroup-bd.com	PURCHASE ORDER.exe	Get hash	malicious	Browse	119.148.27.3
	SWIFT REFERENCE.exe	Get hash	malicious	Browse	119.148.27.3
	PAYMENT COPY.exe	Get hash	malicious	Browse	119.148.27.3
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse	119.148.27.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AGNI-ASAgniSystemsLimitedBD	PURCHASE ORDER.exe	Get hash	malicious	Browse	119.148.27.3
	SWIFT REFERENCE.exe	Get hash	malicious	Browse	119.148.27.3
	PAYMENT COPY.exe	Get hash	malicious	Browse	119.148.27.3
	STATEMENT OF ACCOUNT OCT.exe	Get hash	malicious	Browse	119.148.27.3
	gMDLARX9GI.elf	Get hash	malicious	Browse	119.148.55.237
	fVlHtUkKPO.elf	Get hash	malicious	Browse	119.148.55.224
	Hb8GD7pr7Z	Get hash	malicious	Browse	119.148.55.231
	GRse5xOyWS.dll	Get hash	malicious	Browse	182.252.103.223
	bkryx2aoJM	Get hash	malicious	Browse	182.252.103.235
	gBHjepWUd8	Get hash	malicious	Browse	119.148.55.248
	lDBBhuxCmi	Get hash	malicious	Browse	182.252.76.52
	yg5NmwTscp	Get hash	malicious	Browse	119.148.55.215
	ZYXESmYwdx	Get hash	malicious	Browse	119.148.24.124
	OpwoeuJ0eF	Get hash	malicious	Browse	119.148.55.211
	arm	Get hash	malicious	Browse	182.252.66.208
	BKyU0T5xcw	Get hash	malicious	Browse	119.148.55.225
	Xb1sM3W7BK	Get hash	malicious	Browse	119.148.55.215
	b3astmode.arm	Get hash	malicious	Browse	182.252.66.204
	qKxXZuMvtP	Get hash	malicious	Browse	182.252.66.208
	5whlj6Mewk	Get hash	malicious	Browse	119.148.55.250

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	PURCHASE ORDER # 12076038 & 12076022.exe	Get hash	malicious	Browse
	PURCHASE ORDER.exe	Get hash	malicious	Browse
	monkey.scr.exe	Get hash	malicious	Browse
	Overdue_account letter.exe	Get hash	malicious	Browse
	SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.8076.exe	Get hash	malicious	Browse
	8vP60HbFlryaXUJ.exe	Get hash	malicious	Browse
	Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe	Get hash	malicious	Browse
	Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe	Get hash	malicious	Browse
	Shipping documents.PDF.exe	Get hash	malicious	Browse
	SWIFT REFERENCE.exe	Get hash	malicious	Browse
	Bank TT copy.exe	Get hash	malicious	Browse
	Shipping documents and BL. PDF.exe	Get hash	malicious	Browse
	invoice.exe	Get hash	malicious	Browse
	mko.exe	Get hash	malicious	Browse
	PAYMENT COPY.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.23719.26078.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	Draft.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.14630.22885.exe	Get hash	malicious	Browse
	82105269.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FSmZIJwnxoJulr.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REMITTANCE COPY.exe.log

Download File

Process:	C:\Users\user\Desktop\REMITTANCE COPY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp72FE.tmp

Download File

Process:	C:\Users\user\Desktop\REMITTANCE COPY.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.1775098793092065
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3p
MD5:	269DCA092DD3F101BB67595918569AE5
SHA1:	C073FBB9C93034493E7D4F04F5FE1D070E71DD8C
SHA-256:	F2A7823946D9CC784D77659910E2DE48D2FF088AD0DE9FFD935C3EC2A43CEC27
SHA-512:	008E43586B89EF3D717CD3394B3D39B5CD2F42BF9CE9E35E9CDB67269C6F2C3D14D0DA8E61763CE7362BB162EB517681A17578C4D3C0C50749AD4085C00AFD33
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmp77E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1651
Entropy (8bit):	5.1775098793092065
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3p
MD5:	269DCA092DD3F101BB67595918569AE5
SHA1:	C073FBB9C93034493E7D4F04F5FE1D070E71DD8C
SHA-256:	F2A7823946D9CC784D77659910E2DE48D2FF088AD0DE9FFD935C3EC2A43CEC27
SHA-512:	008E43586B89EF3D717CD3394B3D39B5CD2F42BF9CE9E35E9CDB67269C6F2C3D14D0DA8E61763CE7362BB162EB517681A17578C4D3C0C50749AD4085C00AFD33
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

Download File

Process:	C:\Users\user\Desktop\REMITTANCE COPY.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	866816
Entropy (8bit):	7.470326450965344
Encrypted:	false
SSDEEP:	12288:5RfBQNcgqo2Fr5cE8LHWt/SEdRMA/LyVu6gtY1OaQ3vf8aCmlSVB8Xbc20/HIPPB:r+qopvLC9/L1t+xQFCmQPxHInQ
MD5:	E54CA4F235A6878E6C4913B4DDCBA055
SHA1:	B91CE873B8A93B46EBAC12B5D1E62F3A1A9DD27F
SHA-256:	6ACFD9EA1B88077926A542FD286DA3119B626792F71B09927CA252236245D43A
SHA-512:	989091A3525EA3E57554530DAB20D934E146CAADB4B67A01B612F132758CB5B040529063B3D0EAA3ABD782B04B6C11B7EA51A53330160B3CB75BC313201D49DA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 22%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P......T........... ... ....@.. ....................................@.....................................K.... .. P........................................................................... ............... ..H............text...4.... ...................... ..`.rsrc... P... ...R..................@..@.reloc...............8..............@..B........................H...........................C..........................................Z(....8.....(....8.....&~..........~.....b(....8......(....8........&~..........~......0..y.......8........E....=...88...(....8....s.........8....s.........8....s.........8....s.........8....s......... .....9....&8........0...........~....o......8......8....8......0...........~....o......8......8....8......0...........~....o......8....8....8........0..$.......8......*8....8.....~....o......8....

C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PURCHASE ORDER # 12076038 & 12076022.exe, Detection: malicious, Browse Filename: PURCHASE ORDER.exe, Detection: malicious, Browse Filename: monkey.scr.exe, Detection: malicious, Browse Filename: Overdue_account letter.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.MSIL.GenKryptik.FYGA.tr.21466.8076.exe, Detection: malicious, Browse Filename: 8vP60HbFlryaXUJ.exe, Detection: malicious, Browse Filename: Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe, Detection: malicious, Browse Filename: Guia_6007241440032929258904227461816514046515369236897929361847432942837799.exe, Detection: malicious, Browse Filename: Shipping documents.PDF.exe, Detection: malicious, Browse Filename: SWIFT REFERENCE.exe, Detection: malicious, Browse Filename: Bank TT copy.exe, Detection: malicious, Browse Filename: Shipping documents and BL. PDF.exe, Detection: malicious, Browse Filename: invoice.exe, Detection: malicious, Browse Filename: mko.exe, Detection: malicious, Browse Filename: PAYMENT COPY.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.23719.26078.exe, Detection: malicious, Browse Filename: TT COPY.exe, Detection: malicious, Browse Filename: Draft.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.14630.22885.exe, Detection: malicious, Browse Filename: 82105269.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.470326450965344
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	REMITTANCE COPY.exe
File size:	866816
MD5:	e54ca4f235a6878e6c4913b4ddcba055
SHA1:	b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
SHA256:	6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
SHA512:	989091a3525ea3e57554530dab20d934e146caadb4b67a01b612f132758cb5b040529063b3d0eaa3abd782b04b6c11b7ea51a53330160b3cb75bc313201d49da
SSDEEP:	12288:5RfBQNcgqo2Fr5cE8LHWt/SEdRMA/LyVu6gtY1OaQ3vf8aCmlSVB8Xbc20/HIPPB:r+qopvLC9/L1t+xQFCmQPxHInQ
TLSH:	CB058D5673728863F58F01358495318C6EBCA583A6E6F2076B773A8056027FFFA9CE11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P......T........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	4e3e72cace7e9e67

Static PE Info

General

Entrypoint:	0x4d032e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63858DB4 [Tue Nov 29 04:42:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd02e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x5020	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd0297	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xce334	0xce400	False	0.7656486742424242	data	7.462745784487049	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd2000	0x5020	0x5200	False	0.9108231707317073	data	7.661816841344986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xd2130	0x49b2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xd6ae4	0x14	data
RT_VERSION	0xd6af8	0x33c	data
RT_MANIFEST	0xd6e34	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 23:19:44.276021957 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:44.587918043 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:44.588063955 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:48.028115988 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:48.028467894 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:48.340773106 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:48.341048002 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:48.654963970 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:48.714406967 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:48.905726910 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:49.226938963 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:49.226977110 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:49.226994991 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:49.227008104 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:49.227170944 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:49.228629112 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:49.401873112 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:49.570498943 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:49.882066965 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:50.011343956 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:50.270930052 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:50.582626104 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:50.584830999 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:50.897109032 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:51.011531115 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:51.817368984 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:52.167968988 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:52.174232960 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:52.486279011 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:52.486763954 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:52.806159973 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:52.806565046 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:53.117810011 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:53.119280100 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:53.119713068 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:53.120037079 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:53.120125055 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:19:53.431646109 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:53.431699991 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:53.431736946 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:53.431775093 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:53.628751040 CET	587	49702	119.148.27.3	192.168.2.5
Nov 29, 2022 23:19:53.714818001 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:12.958915949 CET	49702	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:30.887084961 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:31.192751884 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:31.192878962 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:31.505937099 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:31.508374929 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:31.814308882 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:31.814596891 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:32.122059107 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.141771078 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:32.462547064 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.462631941 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.462693930 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.462743998 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.462865114 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:32.462865114 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:32.465277910 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.482307911 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:32.788265944 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:32.843096972 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:32.866729021 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:33.172338009 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:33.172903061 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:33.478811026 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:33.479494095 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:33.824166059 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:33.862101078 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:33.862700939 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:34.168560028 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:34.168592930 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:34.169233084 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:34.484185934 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:34.484831095 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:34.791023016 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:34.792371035 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:34.792440891 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:34.792514086 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:34.792606115 CET	49706	587	192.168.2.5	119.148.27.3
Nov 29, 2022 23:20:35.098450899 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:35.098514080 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:35.098743916 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:35.206922054 CET	587	49706	119.148.27.3	192.168.2.5
Nov 29, 2022 23:20:35.249504089 CET	49706	587	192.168.2.5	119.148.27.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 23:19:44.056919098 CET	60649	53	192.168.2.5	8.8.8.8
Nov 29, 2022 23:19:44.226650953 CET	53	60649	8.8.8.8	192.168.2.5
Nov 29, 2022 23:20:30.696413040 CET	61452	53	192.168.2.5	8.8.8.8
Nov 29, 2022 23:20:30.867413998 CET	53	61452	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 23:19:44.056919098 CET	192.168.2.5	8.8.8.8	0x4265	Standard query (0)	mail.orogenicgroup-bd.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 23:20:30.696413040 CET	192.168.2.5	8.8.8.8	0xa6f0	Standard query (0)	mail.orogenicgroup-bd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 23:19:44.226650953 CET	8.8.8.8	192.168.2.5	0x4265	No error (0)	mail.orogenicgroup-bd.com		119.148.27.3	A (IP address)	IN (0x0001)	false
Nov 29, 2022 23:20:30.867413998 CET	8.8.8.8	192.168.2.5	0xa6f0	No error (0)	mail.orogenicgroup-bd.com		119.148.27.3	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 23:19:48.028115988 CET	587	49702	119.148.27.3	192.168.2.5	220-panel2.agni.com ESMTP Exim 4.95 #2 Wed, 30 Nov 2022 04:19:47 +0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 23:19:48.028467894 CET	49702	587	192.168.2.5	119.148.27.3	EHLO 618321
Nov 29, 2022 23:19:48.340773106 CET	587	49702	119.148.27.3	192.168.2.5	250-panel2.agni.com Hello 618321 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Nov 29, 2022 23:19:48.341048002 CET	49702	587	192.168.2.5	119.148.27.3	STARTTLS
Nov 29, 2022 23:19:48.654963970 CET	587	49702	119.148.27.3	192.168.2.5	220 TLS go ahead
Nov 29, 2022 23:20:31.505937099 CET	587	49706	119.148.27.3	192.168.2.5	220-panel2.agni.com ESMTP Exim 4.95 #2 Wed, 30 Nov 2022 04:20:31 +0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 23:20:31.508374929 CET	49706	587	192.168.2.5	119.148.27.3	EHLO 618321
Nov 29, 2022 23:20:31.814308882 CET	587	49706	119.148.27.3	192.168.2.5	250-panel2.agni.com Hello 618321 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Nov 29, 2022 23:20:31.814596891 CET	49706	587	192.168.2.5	119.148.27.3	STARTTLS
Nov 29, 2022 23:20:32.122059107 CET	587	49706	119.148.27.3	192.168.2.5	220 TLS go ahead

Target ID:	1
Start time:	23:18:56
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\REMITTANCE COPY.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\REMITTANCE COPY.exe
Imagebase:	0x930000
File size:	866816 bytes
MD5 hash:	E54CA4F235A6878E6C4913B4DDCBA055
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	23:19:19
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
Imagebase:	0x9c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	23:19:19
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	23:19:19
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xee0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	23:19:21
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
Imagebase:	0x650000
File size:	866816 bytes
MD5 hash:	E54CA4F235A6878E6C4913B4DDCBA055
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 22%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	23:19:35
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Imagebase:	0xed0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	23:19:35
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	23:19:43
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Imagebase:	0x430000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	15
Start time:	23:19:43
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	16
Start time:	23:19:58
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
Imagebase:	0x7ff7c8a30000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	17
Start time:	23:19:58
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	18
Start time:	23:19:58
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3f0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	19
Start time:	23:19:59
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x500000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	21.8%
Total number of Nodes:	229
Total number of Limit Nodes:	16

Executed Functions

Function 02B264E0 Relevance: 3.1, APIs: 2, Instructions: 88
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B264AB
WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02B26575

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: 2d15ec5e1a54a9b0e68d39d745c59c0864bad8d3cce3860d4efb1a320b40bfa2
Instruction ID: d58c22d0bf98315c5368cf2d7d84ada19d1430d9c1129e281ccbc396d11b0906
Opcode Fuzzy Hash: 2d15ec5e1a54a9b0e68d39d745c59c0864bad8d3cce3860d4efb1a320b40bfa2
Instruction Fuzzy Hash: D73139B1900359DFCB10CF9AD985BDEBBF8FB48314F14846AE558A3650D378A548CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B268DB Relevance: 2.8, Strings: 2, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-wD, xrefs: 02B26A9E
-wD, xrefs: 02B26AA5

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: -wD$-wD
API String ID: 0-393966037
Opcode ID: 3469b6eeb6e2ddd2d4bc843ac8c8d7c568229e133485c4143f8630eb3a175669
Instruction ID: 055219379a91211c3e22445bc8fedcecd2f3662e80ae0bd06de79f2d7a0e7210
Opcode Fuzzy Hash: 3469b6eeb6e2ddd2d4bc843ac8c8d7c568229e133485c4143f8630eb3a175669
Instruction Fuzzy Hash: A5B16970E15328DBCB08CFA5D58569DFBF6FB89310F20A16AD009BB254E734994ACF04

Uniqueness

Uniqueness Score: -1.00%

Function 02B268E8 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-wD, xrefs: 02B26A9E
-wD, xrefs: 02B26AA5

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: -wD$-wD
API String ID: 0-393966037
Opcode ID: aed9f2980262119b4e4fd307b8c53886fdb0e78a55099cd9e5c3fc898e9b4fb7
Instruction ID: 2409a847aeb0ef181a054d069cf53b892853c259235c6e9002c635b2c5ec2b78
Opcode Fuzzy Hash: aed9f2980262119b4e4fd307b8c53886fdb0e78a55099cd9e5c3fc898e9b4fb7
Instruction Fuzzy Hash: ADA147B0E19328DBCB08CFA5D58469EFBF6FB89310F24A56AD019B7254E7349949CF04

Uniqueness

Uniqueness Score: -1.00%

Function 02B24211 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

%J, xrefs: 02B2448C

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: %J
API String ID: 0-324193454
Opcode ID: 9fb3821e4a74e205455d65395189af064fdeb8976bff6d18346fdbec2ff8a8af
Instruction ID: 03fa30d42f55fa4a4d958aa9ce39f40a539b4917c95318addf07eea7c00a7679
Opcode Fuzzy Hash: 9fb3821e4a74e205455d65395189af064fdeb8976bff6d18346fdbec2ff8a8af
Instruction Fuzzy Hash: B89134B4E19229CFCB04DFA6D4415AEBBB2FB8A310F10946AD419B7714E7345A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 074F0560 Relevance: 1.0, Instructions: 973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c27421ccf2059d206e1ffe2f9c4f657c90010e2db4c606f88ac6ef52ef2f55
Instruction ID: 5d6d32bbc5d1a5c749da70bf907207581fe8c5837097ba91efb2b5da4395bb21
Opcode Fuzzy Hash: f9c27421ccf2059d206e1ffe2f9c4f657c90010e2db4c606f88ac6ef52ef2f55
Instruction Fuzzy Hash: 0972E0707101148FCB18EB78C854AAE77E7BFC9258F14852AD506DB7A5CF34EC4A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 074FB570 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcca0b8ebe2d68ecf98e1bb0238bd9732296f43ff25cc7b55cdf677e43626f32
Instruction ID: e96fc82cfcfc3226970ff27bcdfb46f714b6fd1ae4519a121dc59b26caadabe6
Opcode Fuzzy Hash: fcca0b8ebe2d68ecf98e1bb0238bd9732296f43ff25cc7b55cdf677e43626f32
Instruction Fuzzy Hash: 02725CB0A001199FCB14DFA8D884AEEBBB6FF8A344F14856AE505EB361DB34D845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 074F5F48 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0187affc9ba0ef40f4154a3ef2ec4bbe613a4b24caf229ca88bd731a48a089b
Instruction ID: c1750234f820ccd79bab3e864b61039e16369e0d15fe01e9f17e0014cfc9fc5e
Opcode Fuzzy Hash: d0187affc9ba0ef40f4154a3ef2ec4bbe613a4b24caf229ca88bd731a48a089b
Instruction Fuzzy Hash: 2812C775D1061ACFCB14EF68C880AD9F7B1FF89300F1586AAD558A7211EB70AAC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 074F5F37 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bca808c32d4d9e660a058370adbc231be79c0d899b592a4342c51107f1390eb
Instruction ID: d33401c492f4e9617085141d41134562b9395a1331536a9774bce9442111adbf
Opcode Fuzzy Hash: 6bca808c32d4d9e660a058370adbc231be79c0d899b592a4342c51107f1390eb
Instruction Fuzzy Hash: C012C675D0071A8FCB14DF68C880AD9F7B1FF99300F1586AAD958A7211EB70AAC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B28468 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77151edf08d303f0140646f97a811612bfa970b08ba6072a22e8ed730180021f
Instruction ID: 57b3397f61cbf777c9381b4035f0b780350eb25af0737dd3d66aa4726eeeaa6a
Opcode Fuzzy Hash: 77151edf08d303f0140646f97a811612bfa970b08ba6072a22e8ed730180021f
Instruction Fuzzy Hash: B0D1BB717017208FEB25DB75C850BAAB7F6AF88704F1484ADD14A8B7A1CF34E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B20006 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cedcc65bd3423e34fd6117997820f832366de74fc9894bfc317effacbc1d2b0
Instruction ID: 762d4288bc1ca13e8709de08c824475eaa275e0b42d71188078eda4c1fa7931f
Opcode Fuzzy Hash: 1cedcc65bd3423e34fd6117997820f832366de74fc9894bfc317effacbc1d2b0
Instruction Fuzzy Hash: 82C16970E092298FDB04DFA9C9806DEBBF2BF99310F1485A6D408EB359D7349945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B20040 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d695ad57a106aea68db5fba3a63f7b6418a23eefd81cfa9e7953755e972768
Instruction ID: 9912a7050182c6bcc8fcfd22845e0154df6686dacfa7618096609f847fff24c8
Opcode Fuzzy Hash: 93d695ad57a106aea68db5fba3a63f7b6418a23eefd81cfa9e7953755e972768
Instruction Fuzzy Hash: EEB144B0E052298BDB04DFA9C5816EEFBF2EF98310F14856AD409BB318D7309946CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B245B0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d34f6c38234348070db7e37f197b5db740e1d0af77f69de7a238a2aaf237c47
Instruction ID: 9bfed2761f0d74f6e5f9aad5244832636c9c456c5d6843093ab2ab48cb7040bc
Opcode Fuzzy Hash: 3d34f6c38234348070db7e37f197b5db740e1d0af77f69de7a238a2aaf237c47
Instruction Fuzzy Hash: 29814870E16759DFCB04CFE5D68069DFBB2FB89310F20A46AD00ABB654E7349909CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02B2459F Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd825a5abbdbe640763575bb72233f272283cd6f109e889e0571b3f045713e9
Instruction ID: cb69d2543e654d1be87210eb17b587a1d7ab99221d708a22a66e833ceb70f818
Opcode Fuzzy Hash: cbd825a5abbdbe640763575bb72233f272283cd6f109e889e0571b3f045713e9
Instruction Fuzzy Hash: 46716970E16219EFCB04CFE5D68069DFBF2FB89310F20A46AD00AB7654E7349909CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02B22B88 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8289554d3e2e3b726810bd5d076bc4e18637bf1578555571deec8e1ec7206543
Instruction ID: 0d01cafdf15ad4d333513162f017091480af63df81a1f0ec16ff7b5ba854492a
Opcode Fuzzy Hash: 8289554d3e2e3b726810bd5d076bc4e18637bf1578555571deec8e1ec7206543
Instruction Fuzzy Hash: 20811274E14218DFCB08DFA5E9955AEBBB2FF88311F10C12AE81AAB354DB305946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B22B98 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a344d07a658dc8ddf7283af2997dcf9cbb0eaf685ad8431ba49ef9a7d047e6
Instruction ID: a51ebf196b5ae2eb7bfc1b63e5f81e2bd2858de9bcdddba77cb9185718cfc00f
Opcode Fuzzy Hash: 30a344d07a658dc8ddf7283af2997dcf9cbb0eaf685ad8431ba49ef9a7d047e6
Instruction Fuzzy Hash: 6B7102B4E14218DFCB08DFA5D9555AEBBB2FF88311F10C12AE81AA7354DB705906CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B248E0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5553881eb7337c21146105838434946eb2b3bf42045db28c4478e144b55de38
Instruction ID: 1a5cb4b7d8de4cff27ea163793d77c7d3a1f42721839286e289129f48c7d3896
Opcode Fuzzy Hash: e5553881eb7337c21146105838434946eb2b3bf42045db28c4478e144b55de38
Instruction Fuzzy Hash: 74512771E0562A8BDB24CF65C840BE9B7B6BF88300F1082E6D10DA7650EB705A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02B248D0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3bcdc55f1ee513a092640ac2f0c06cd5687001541775821f5af1ceaf173578e
Instruction ID: 7f0b71c061f68bf863b316eb76e710895f6553bf8528808d681a628688ed984d
Opcode Fuzzy Hash: a3bcdc55f1ee513a092640ac2f0c06cd5687001541775821f5af1ceaf173578e
Instruction Fuzzy Hash: BB513971E1162A8BDB64CF65CD44BD9BBB2BF88300F1082EAD509A7654EB705AC5DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02B22F30 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f187c0916a7a26335b0e0e782ced5476ebe87ce892a5ef68b8a05a973d16f857
Instruction ID: d170170a79c4606a1e0fd2e153af79b813c31fb4eda3390c5f6e47c79ecf6ec4
Opcode Fuzzy Hash: f187c0916a7a26335b0e0e782ced5476ebe87ce892a5ef68b8a05a973d16f857
Instruction Fuzzy Hash: 7C414970E15219DFCB04CFA5D9406EEBBF2FF88200F1499AAD419E7268D7749A05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B22F40 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa43bd362638e4787708ab2eda2bd56334007bfdf645c010b3fb71cf1da2b1b3
Instruction ID: e914951146b76763d5efb784a768693319777e38500d49b5fe92a74daf146a16
Opcode Fuzzy Hash: fa43bd362638e4787708ab2eda2bd56334007bfdf645c010b3fb71cf1da2b1b3
Instruction Fuzzy Hash: CD413770D15219DFCB04CFA6D5406EEBBF6FF88200F10996AD819E7258D7345A05CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02B26AD2 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7ed85789a408e07ecc41f7e40374857f846c28c1b2da34347a3f3393bfb3d9
Instruction ID: 44477e04e174b0f3fc849a1726489ab900ef036f1137933156a6ae41bebc604c
Opcode Fuzzy Hash: 1f7ed85789a408e07ecc41f7e40374857f846c28c1b2da34347a3f3393bfb3d9
Instruction Fuzzy Hash: 1B412474E05328CBCB18CFA4D58559EFBB6FB89310F20A56AD00AE7254E730994ACF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B22778 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09415b93746c7c21827cc0407740f5a2e12e3cafb88a85daab09b3666115a8eb
Instruction ID: b4cbd7b235e934b0688e1cd36aefa76d8de98b14f6edfd454d1e6d0e9821a1bd
Opcode Fuzzy Hash: 09415b93746c7c21827cc0407740f5a2e12e3cafb88a85daab09b3666115a8eb
Instruction Fuzzy Hash: D1419C70E192298FCB08CFA5D9445DEBBB2EB8D350F14D56AD80AF7364D7349809CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02B22788 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2af6676e91a4150a3c2ec3490f9de956251eb47889bd39c3c17ab594b670d88
Instruction ID: d9b764e2d11dc56a344fe09c04de28b9c66da7da526105d9c296da88c566c1e1
Opcode Fuzzy Hash: a2af6676e91a4150a3c2ec3490f9de956251eb47889bd39c3c17ab594b670d88
Instruction Fuzzy Hash: EF316B70E192288BCB08CFA5D9505DEBBB6EB8D310F14D56AD80AF7364D7349809CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02B27F18 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374e54d7f55f06b276d413ec8a2b5a8df4e6d3037a3cc02e075939f375c60853
Instruction ID: bd3d0557a9c86b1868be5f7781a7d87e786cb1fc5158fd1e67dff11fed72294f
Opcode Fuzzy Hash: 374e54d7f55f06b276d413ec8a2b5a8df4e6d3037a3cc02e075939f375c60853
Instruction Fuzzy Hash: 42210A34D0D3A89BDB14CFA5D4546FEFAF9AB4A300F14A0A9E409B3291DB344948DA28

Uniqueness

Uniqueness Score: -1.00%

Function 02B27F09 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c923021986583156722a864490cc2512b159ad911b07c9d67e3ae1107b6bd57
Instruction ID: 3037986b76a1acae559ae51ef56295bd26b997bc301e3c59c663d42eeb4632e6
Opcode Fuzzy Hash: 9c923021986583156722a864490cc2512b159ad911b07c9d67e3ae1107b6bd57
Instruction Fuzzy Hash: ED212C74D0D3A8DBDB04CFA4D5587FDFBF9AB0A301F0461A9E409B3291DB344948DA28

Uniqueness

Uniqueness Score: -1.00%

Function 051E9850 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 051E9A96

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 890c77f7faf074c588ee5b4f19e49f6e0798510d5d48293d63cfa7da1850e4ec
Instruction ID: d9b67591de6adb93bc30b8f4de0fd9c3a080a96f2d755e7cadf8b140e646a6e3
Opcode Fuzzy Hash: 890c77f7faf074c588ee5b4f19e49f6e0798510d5d48293d63cfa7da1850e4ec
Instruction Fuzzy Hash: 65711470A10B059FD724DF2AD445BAABBF5FF88204F00892ED48AD7B50DB75E849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B25F37 Relevance: 1.6, APIs: 1, Instructions: 146
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02B26093

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cf876c4f58f2aaaa576d2e032a54bc743985d11d21f20fc675a542c8dbf79991
Instruction ID: 4ff034eef0b83473db78a0e420ff10ba433fbe6ca23b81231f0aa03ef2700a8f
Opcode Fuzzy Hash: cf876c4f58f2aaaa576d2e032a54bc743985d11d21f20fc675a542c8dbf79991
Instruction Fuzzy Hash: 2951E471D01369DFDB24CF99C980BDEBBB5BB48314F14849AE40CA7250DB71AA89CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B25F40 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 02B26093

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8dcbd8cf2bad3cfacd2c063e1078865adca1991c667ecd63055ee1b09172667f
Instruction ID: a515818f9c6b9b4e60d0b375653dee04ca09fd8aef7f20a9ca03e16673627a92
Opcode Fuzzy Hash: 8dcbd8cf2bad3cfacd2c063e1078865adca1991c667ecd63055ee1b09172667f
Instruction Fuzzy Hash: C551E371D01369DFDB24CF99C980BDEBBB6AF48314F14849AE80CA7250DB719A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B264E8 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02B26575

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a8897c319d0fa99e7350d8fff5f546ad62785adc6d8befcb4fb849b83c2400fa
Instruction ID: b14621c38c161acb955aa0c28933e5b6b1b7bf105907565b020a6d24cc6f8624
Opcode Fuzzy Hash: a8897c319d0fa99e7350d8fff5f546ad62785adc6d8befcb4fb849b83c2400fa
Instruction Fuzzy Hash: 172114B1901359DFCB10CF9AD985BDEBBF8FB48314F00846AE918A3750D378A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 051EA57C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,051EBD3E,?,?,?,?,?), ref: 051EBDFF

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f05ae8f7796ad51fc3e578f5e72d884c8395badf9b06d38cea710e05b3b582b6
Instruction ID: d7c17671f41a01b67aaa0925bd16474bfc29b2d09a3cb00096e1d20247e3d868
Opcode Fuzzy Hash: f05ae8f7796ad51fc3e578f5e72d884c8395badf9b06d38cea710e05b3b582b6
Instruction Fuzzy Hash: 5421E5B59052089FDB10CFA9D584ADEBBF8FB48324F14845AE954A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051EBD70 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,051EBD3E,?,?,?,?,?), ref: 051EBDFF

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 75a642383788bbd28012dbe6f029a84d3e600e9e8cf6691d695b72f80f8b9c4d
Instruction ID: 3853528fc1aa3f0a4f7119200fa6a679f52715a6a9729979592a5b3a43e96c86
Opcode Fuzzy Hash: 75a642383788bbd28012dbe6f029a84d3e600e9e8cf6691d695b72f80f8b9c4d
Instruction Fuzzy Hash: 6221E6B5D01208AFDB10CFA9D984ADEBBF4FB48324F14841AE954B3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B26369 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B263EF

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e44d9ff91da0f31846c609f72a40541f5598a0621517db9dfe336f46efe1dce0
Instruction ID: 32b578923c1b383c964ee19dcf619b556e9d6595ecc42a64d0d964f2fb32ad61
Opcode Fuzzy Hash: e44d9ff91da0f31846c609f72a40541f5598a0621517db9dfe336f46efe1dce0
Instruction Fuzzy Hash: 3E2107719013599FCB10CF9AD984BDEBBF4FB48324F10846AE958A3750D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B262A9 Relevance: 1.6, APIs: 1, Instructions: 60
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02B26327

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: fe0908153db11d47265be70c193a70e6b0531434fb08e159c4c5d87d4d654ba5
Instruction ID: f13cb589320554e7af2598f35880c16d11ee5b8734b19d5245ad75f56284bb86
Opcode Fuzzy Hash: fe0908153db11d47265be70c193a70e6b0531434fb08e159c4c5d87d4d654ba5
Instruction Fuzzy Hash: 412108B1D102199FCB00CF9AD5457DEFBB8BB08224F54816AD458B3740D778A9588FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B26370 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02B263EF

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: db6ae3e27afdd66ccaf8589f57e343acd249f039e0b377688ec9f82bd3e4972e
Instruction ID: 0cb2eeaae61677371b0d844256b82ca31458426d48e0f0af9ce821357ceee037
Opcode Fuzzy Hash: db6ae3e27afdd66ccaf8589f57e343acd249f039e0b377688ec9f82bd3e4972e
Instruction Fuzzy Hash: 0521E2B19013599FCB10CF9AD984BDEBBF8FB48324F10846AE958A3750D378A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B262B0 Relevance: 1.6, APIs: 1, Instructions: 58
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 02B26327

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ec14c388e487438520877bf43d4c7b3513daff83e5a446ebc514c7b1ae41f9c3
Instruction ID: e0c6a58f02a71365ec33bb39de91a2d22adf89a03188242ca02e936ee33cd2a1
Opcode Fuzzy Hash: ec14c388e487438520877bf43d4c7b3513daff83e5a446ebc514c7b1ae41f9c3
Instruction Fuzzy Hash: 642106B1D102199FCB10CF9AD9857DEFBF8FB48224F54816AE418B3740D778A9588FA1

Uniqueness

Uniqueness Score: -1.00%

Function 051E8DD8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051E9B11,00000800,00000000,00000000), ref: 051E9D22

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 23d134e04f22e676ac768871f405295b121e9cf1072b0c9f5b1f4b9b0b2986b4
Instruction ID: 0f1b34abfa02b81df55d5ad34109b9c51ce10be2b5e1acda82e8ea4b443114c1
Opcode Fuzzy Hash: 23d134e04f22e676ac768871f405295b121e9cf1072b0c9f5b1f4b9b0b2986b4
Instruction Fuzzy Hash: FD1114B69002089FCB10CF9AD544AEEFBF4FB48324F00846AE815B7700C374A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051E9CB2 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,051E9B11,00000800,00000000,00000000), ref: 051E9D22

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eca2fceecd153d732e686601797063cd3db4c27731327cb9e56913d8ee17154f
Instruction ID: e010af80a286c8204fe1e90fb5979538d6a76dab61d17bc5e34b1b01aeb18be0
Opcode Fuzzy Hash: eca2fceecd153d732e686601797063cd3db4c27731327cb9e56913d8ee17154f
Instruction Fuzzy Hash: 5E1114B68002489FCB10CF9AD544AEEFBF4BB48324F04846AE459A7700C374A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B26438 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B264AB

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e5af855cd4b2860943975d5d293505558e60cc3dec969e677557a490a1950a1a
Instruction ID: 9d9e286ec8d65d1ad79144a933f8f71bca2cd57aedc1d496e53220ebdd09f8cb
Opcode Fuzzy Hash: e5af855cd4b2860943975d5d293505558e60cc3dec969e677557a490a1950a1a
Instruction Fuzzy Hash: C61146B6800259DFCB10CF89D984BDEBBF4EF48324F14845AE568A7710C335A544CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B26440 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02B264AB

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06c2d0b9fc880a65a1c111dc3d6fe16dc232f8d060729048c6eae54fd8e75582
Instruction ID: 8cd9a6d7df4995e759a5681d939bc6bb85597d4f46be2d1d9957254d21ec76a4
Opcode Fuzzy Hash: 06c2d0b9fc880a65a1c111dc3d6fe16dc232f8d060729048c6eae54fd8e75582
Instruction Fuzzy Hash: F01122B2900258DFCB10CF9AD984BDEBBF8FB48324F148459E568A7710C375A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B26FA8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02B2700D

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 09e66dfbb0ee0123222b8e9f556d7cb239b4da2408610fc64aca7d836cac3802
Instruction ID: 0d5774c6a5c51f05c47a2480673a043f09e3585264bb16c1d01fc927736b00d7
Opcode Fuzzy Hash: 09e66dfbb0ee0123222b8e9f556d7cb239b4da2408610fc64aca7d836cac3802
Instruction Fuzzy Hash: FD11F2B68003188FDB20CF99D584BEEFBF4EB48324F10845AE558A3610C375A988CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051E9A30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 051E9A96

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c6af8281ee21b86b66a9931c33dae444f62f4993b7d7b929b8e6d0ea2280bc79
Instruction ID: cdf54a6fafd88701f721ab63132546c29b797605bf020c4a5282a563158c2301
Opcode Fuzzy Hash: c6af8281ee21b86b66a9931c33dae444f62f4993b7d7b929b8e6d0ea2280bc79
Instruction Fuzzy Hash: 641110B6C006098FCB10CF9AD544BDEFBF4AF88324F14842AD859B7610C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B26698 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02B266FF

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 955212015eee6d494493dcee457dd681595bb5b7d1ce6cb4f5596093d44a9a96
Instruction ID: 32e47e04bc7d9ad1c4c2181a2863d9cec45f2b0ca7371aeb642280872211c395
Opcode Fuzzy Hash: 955212015eee6d494493dcee457dd681595bb5b7d1ce6cb4f5596093d44a9a96
Instruction Fuzzy Hash: 521133B18003588FCB10CF9AD584BDEBBF8EB48328F10845AD858A3710D378A948CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B26FB0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02B2700D

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b20e9cbaa53f8d263b59ee178cf9133539cd507381e0b1f2f63c8c22163f7222
Instruction ID: 1b63bc8402462d7945f3fe0aa8078fe69d4f966a12beed2c8756e619050752ce
Opcode Fuzzy Hash: b20e9cbaa53f8d263b59ee178cf9133539cd507381e0b1f2f63c8c22163f7222
Instruction Fuzzy Hash: FB11D3B68003599FDB10CF99D985BDFFBF8EB48324F10845AE558A7600C375A588CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B266A0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02B266FF

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 64d4ba4550445c199c92a6d43ea1564eed2357033d46010cef33068c1d408b6a
Instruction ID: 846c7de078c838fa1a9008aa2602f76f629e038be67b4538ba2d88b8ce8dbc4a
Opcode Fuzzy Hash: 64d4ba4550445c199c92a6d43ea1564eed2357033d46010cef33068c1d408b6a
Instruction Fuzzy Hash: 771112B18002588FCB10CF9AD584BDEBBF8EB48328F20845AD958A3710C775A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 074FA047 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

e, xrefs: 074FA049

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 8ba6cd5659d1e5f34886cde275a8528f3e8b4575ef9e0b3ebd986c0fe59243c7
Instruction ID: dab3a2fd35ef395c106689aec41a88784061e9c2dc7e4414edf196e9abd72e04
Opcode Fuzzy Hash: 8ba6cd5659d1e5f34886cde275a8528f3e8b4575ef9e0b3ebd986c0fe59243c7
Instruction Fuzzy Hash: AF31E4712092959FC7069F24E9A47EB3FB1EF46224F0584A7E549CB292C7388859C791

Uniqueness

Uniqueness Score: -1.00%

Function 074FCC48 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497fe2a2e698f20af9f28b7e8b33dda224dbfb39dfb96414dbca979b7d4b8bac
Instruction ID: 25dd289c7c051436637355a6ca158513165c63263a5d3391f7c8f578dae3dd92
Opcode Fuzzy Hash: 497fe2a2e698f20af9f28b7e8b33dda224dbfb39dfb96414dbca979b7d4b8bac
Instruction Fuzzy Hash: 2E323CB5B0050ACFCB14CF64DA94AAEBBB2BF49314F158556E5069B3A1CB30ED81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0750A678 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08b25281b16350decd960951b6b71c802b2f98662f4cb899d10a81fb7286cb9
Instruction ID: 5df9a5dca2e9a57e426718e73607f795a58efd17efc95ee3d6807a69d0b3b55c
Opcode Fuzzy Hash: c08b25281b16350decd960951b6b71c802b2f98662f4cb899d10a81fb7286cb9
Instruction Fuzzy Hash: 2D225BF1905B438AD7705B648DC93DEB6A3BF06314F205D5BD0FACA299D734A0868BC6

Uniqueness

Uniqueness Score: -1.00%

Function 0750A6B8 Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7234c0767fcf61af15d1ccd12cf072eb714f5b496f91cac041a7b207f0a074
Instruction ID: caf050fcce04441d035c14063164bb1acc62070e21f83987e1f737d16e50a427
Opcode Fuzzy Hash: 3b7234c0767fcf61af15d1ccd12cf072eb714f5b496f91cac041a7b207f0a074
Instruction Fuzzy Hash: 441249F1905B438AD7745B648CC93DEA693BF06308F205D1BD0FACA299D734A0869BC6

Uniqueness

Uniqueness Score: -1.00%

Function 074F2500 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03167cc3ec0c0e79b1c2490f296daba30360cb58b69e3489bbee24c84885bbed
Instruction ID: 10d6f718f3bed92411643ca78c7dcc7f3fcd897940c6af7f3670ce761db611e8
Opcode Fuzzy Hash: 03167cc3ec0c0e79b1c2490f296daba30360cb58b69e3489bbee24c84885bbed
Instruction Fuzzy Hash: 6FF1A0B17106118FCB18DF68D9949AEB3F2FF89724B20466AD615CB7A1CB30EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074FED30 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7785d9abbe70573d28d542af72a11e7c39757993443270d28ea7efa34ee5357
Instruction ID: a798eed314e88114d2635621939dcc62afab2921047ed775a2c32c1df23128b8
Opcode Fuzzy Hash: d7785d9abbe70573d28d542af72a11e7c39757993443270d28ea7efa34ee5357
Instruction Fuzzy Hash: C3F1FCB1A00519DFCB14CF68D984A9EBBF6FF88311B1A816AE515EB361DB30EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0750BF4C Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84eb21c8d71c03ae59ce27d76646dd7df222afb2727553744afadfeb0c0efb96
Instruction ID: b5c7dbe989e4af837c49ff9ac489143308296025380f626942274b378c58c2b7
Opcode Fuzzy Hash: 84eb21c8d71c03ae59ce27d76646dd7df222afb2727553744afadfeb0c0efb96
Instruction Fuzzy Hash: 7CB1A0B1A0120ADFDF21EFB5C9546EEBBB2FF85300F20486EC405A7295DB319955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074F17D8 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a460a77a1527a727a05941f4ab61b597c09c79f14046f899b61e0403b04932
Instruction ID: f5c7239d9e1daf8602678b54d9316d0bd53e935652c053ad28cb023531961c63
Opcode Fuzzy Hash: 71a460a77a1527a727a05941f4ab61b597c09c79f14046f899b61e0403b04932
Instruction Fuzzy Hash: EDD18070B01704CFC724DF79C488AAAB7F6AF85320B544A6EE5528B3E1DB35D886CB54

Uniqueness

Uniqueness Score: -1.00%

Function 074FAAF0 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a751fbe7a6e3d6b42137a3e32a9bb65b70c8e66e6d94c976f80c36f4a7f6a375
Instruction ID: 84f6264709549200135cb6024d418853dc30807406705c02dc949e53771b1d9d
Opcode Fuzzy Hash: a751fbe7a6e3d6b42137a3e32a9bb65b70c8e66e6d94c976f80c36f4a7f6a375
Instruction Fuzzy Hash: 30B1D2B03142569FDB159F24D854BBF7BE7AF8A255F04C82AEA0ACB391CB34C845C791

Uniqueness

Uniqueness Score: -1.00%

Function 074FB050 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe162e2ce4d7c32c1aeaca5a53793f8459194df7121cd5ecbab91f64171c1f7
Instruction ID: 391e1df31ae1d3abe5109e0fd681fb67acd8374b5fccf909d7a1255ddfe8cd9d
Opcode Fuzzy Hash: fbe162e2ce4d7c32c1aeaca5a53793f8459194df7121cd5ecbab91f64171c1f7
Instruction Fuzzy Hash: 25918BF4A105068FCB14DF79C988AEEB7B2EF8A254B158166D605DB361DB30E841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 075079C8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989268b505a4ab593871478ee7d7224c12835a168cc9d8f073291e273dc6230d
Instruction ID: c179ffe78a1e12efab3af17821056c984fd835ae754e2deb6e8023d1f2fb8f81
Opcode Fuzzy Hash: 989268b505a4ab593871478ee7d7224c12835a168cc9d8f073291e273dc6230d
Instruction Fuzzy Hash: 8E913FB5A006098FCF04DFA8D8949DDBBB2FF89314F144569D905AB355EB30ED51CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07509140 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5910f7f8cb738bd850898a6495140f48e21f9f0428f948821902bf355294fdf
Instruction ID: 53c4f787421dc48cc148969f2153676116ebbcd0918b01d12b1dd9bdec5d4f3d
Opcode Fuzzy Hash: d5910f7f8cb738bd850898a6495140f48e21f9f0428f948821902bf355294fdf
Instruction Fuzzy Hash: 0D810778710615CFCB14EF68D498AA977F6FF89604B158499E502CB3B6DB72EC05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07507D18 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda4e527c72245ba9d420d2e3fafccf62d566ce000bbab9b2474a7caaa168b39
Instruction ID: 4ccca26c52f5b5fde8c8c5a9e3062e324c7acc7b8929f224842154bb95a14d73
Opcode Fuzzy Hash: fda4e527c72245ba9d420d2e3fafccf62d566ce000bbab9b2474a7caaa168b39
Instruction Fuzzy Hash: 4791D8B5A0160A9FCF51CF68C884AEDB7F2FF48310F14895AE929D7291D730E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074FD448 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9f02ae581444360706ac18cddcb3a2f441c260de26951c2fa11e14ddc986fb
Instruction ID: 86d16ef59aec12c04d546f3991099cdd22cec20088a7f17735d84cb44ee1b60e
Opcode Fuzzy Hash: cb9f02ae581444360706ac18cddcb3a2f441c260de26951c2fa11e14ddc986fb
Instruction Fuzzy Hash: 4661B4B1B141158FDB14DF39C8A4AAB7BE9EF85614B0644BAE51ACB361DB31DC01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 074FF690 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6564371a3347278a79fe75cc10122e5ae7523e06313bb39645e8157fade69e5
Instruction ID: 126d77a52edb99d6c57025baabb9f8a080d877f6f7f130073717e20b7cf5e3dc
Opcode Fuzzy Hash: d6564371a3347278a79fe75cc10122e5ae7523e06313bb39645e8157fade69e5
Instruction Fuzzy Hash: D0911771D01229DFDB24CFA5D884BDEFBB2BF4A304F1480A9E508A7261DB715A89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07507D09 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a2a16e8bf89ddec30bc997c95e72767f446de5c8e7785ebd961d1044c6b0c9
Instruction ID: 16086a5a2b619c2a004da658b73576745744748e0a6c1ea9eb4241ec28e912d9
Opcode Fuzzy Hash: 48a2a16e8bf89ddec30bc997c95e72767f446de5c8e7785ebd961d1044c6b0c9
Instruction Fuzzy Hash: CF91C6B5A0160A9FCF51CF68C484AEEB7F2FF48310F14895AE869D7291D730E951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F5CB0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97a757460a2656239bc149f7628c2b2c4602bf22391418738f3ae8ecdcdfc94
Instruction ID: 8416a1be4fefa6d84c9d0c79fb9fdb209885ad5167533341a711b558dae13c9c
Opcode Fuzzy Hash: f97a757460a2656239bc149f7628c2b2c4602bf22391418738f3ae8ecdcdfc94
Instruction Fuzzy Hash: AC71E570B142489FCB04EBB488541EE7BB2FF8A304F2485AED515DB381DB359D5ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 07508C00 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee98daeaf73a61175ced398b9f8e3b8a742779858a27b4402c2e29f21ff257cf
Instruction ID: 3a19b62f428be58bc6029c70aa474d5735e4fa747d6696c2751e7b4f7a8529b0
Opcode Fuzzy Hash: ee98daeaf73a61175ced398b9f8e3b8a742779858a27b4402c2e29f21ff257cf
Instruction Fuzzy Hash: 0E716D35B002098FCB54EB64C4949EDB7F2FF88214B244499D802EB7A1CB35EC45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07508648 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946a4ece3ca1d91644d5509afd1bcae079f66689df11b04ffb7298b470df24e4
Instruction ID: 01a7720315470312120553a0a17317838ef8c58110d865b05d19b7286b79b96a
Opcode Fuzzy Hash: 946a4ece3ca1d91644d5509afd1bcae079f66689df11b04ffb7298b470df24e4
Instruction Fuzzy Hash: 6761C3707102409FCB14AB7994686EEB7F6BFD5204B14486ED506DBB90DF34E84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 074F2C60 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5359a5f68e62bba0010ed2c3dac6c75cec1ce6173447afacce7103b58934abd8
Instruction ID: 45139d1a503b24a551ca0185dc4584daae7f4d51e8e0beb505d5289a5b9a127c
Opcode Fuzzy Hash: 5359a5f68e62bba0010ed2c3dac6c75cec1ce6173447afacce7103b58934abd8
Instruction Fuzzy Hash: 0D51C4B27005125FD718DF6DD884AAEB7A1FF85224F14862BD619CB7A0CB70EC468791

Uniqueness

Uniqueness Score: -1.00%

Function 074F2A07 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd63eda9c6983b30baa1e26f23ec114d1fa2c0bb61324fba00031815d220bde
Instruction ID: e3b2d9d60610970e82eb89c97ce918138ee9e148c649532137537f0aa081ec14
Opcode Fuzzy Hash: bbd63eda9c6983b30baa1e26f23ec114d1fa2c0bb61324fba00031815d220bde
Instruction Fuzzy Hash: 296192B0A00602CFDB259F64C848BEF77E5BF88305F14442AD65ADB3A1DBB59885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 074F2440 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eddc74798766e85e270ad92955ecff6bcfff164db3ae2ebb72455d3b651f5a7
Instruction ID: 214781a045831c2a67661995737bdbcedca7c5d753b4bcb29ba163d6cc168585
Opcode Fuzzy Hash: 1eddc74798766e85e270ad92955ecff6bcfff164db3ae2ebb72455d3b651f5a7
Instruction Fuzzy Hash: F3617070B10602CFDB249F65C848BEF77E6BF88309F14442AD656DB3A0CBB59885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 074F67D4 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad44168245ba36459487a2f4520ae0f0c3b3e221addaed2164779cbf599bccd
Instruction ID: 8f82a54bc5b1a2c7f44b27d84a9cadc2a6b50608cc602854f5031b7363ca0c19
Opcode Fuzzy Hash: 2ad44168245ba36459487a2f4520ae0f0c3b3e221addaed2164779cbf599bccd
Instruction Fuzzy Hash: 7A511870300A02CFD725DB28C598BA677E6BF84709F5548AAE24ACB371CB75EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F0530 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a157df307cdc026424bf4ecfa42aed19866d41e139b43945186e563cc1f7eae9
Instruction ID: 5d968557dc9a0334094619a47c3dca617364fe21365363adfece7ff46d9ce532
Opcode Fuzzy Hash: a157df307cdc026424bf4ecfa42aed19866d41e139b43945186e563cc1f7eae9
Instruction Fuzzy Hash: E6513AB1B005058FDB24CF25C598BAABBF1AF89304F1585AAE545DB372CB71EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0750BA37 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316973057918fa525b7a57d0acd8028c3fd2ecbd5933e04b202fce53041e87b0
Instruction ID: a444e40bf2576ebc9f8a9f3baa2bade249ae0a05ffa7be75ea52ffaa24dd0278
Opcode Fuzzy Hash: 316973057918fa525b7a57d0acd8028c3fd2ecbd5933e04b202fce53041e87b0
Instruction Fuzzy Hash: D361A4B4A002099FDB14DFA4DA88BDDB7F2BF48304F148169E905AB3A5DB719D41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0750BA48 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d63dcf9ad027b1d1ed5b7343e47c5d57c2f712d0ee01e9a12f0be4f5689b1e
Instruction ID: 1d0291526c56c008a3b0e898edc8bee78cf8d8618acd6bed76aa0e6f59b2665f
Opcode Fuzzy Hash: 72d63dcf9ad027b1d1ed5b7343e47c5d57c2f712d0ee01e9a12f0be4f5689b1e
Instruction Fuzzy Hash: 6961A5B4A0020A9FDB14DFA5D988BDDB7F2BF88304F148165E905AB3A4DB71AD41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0750A4B8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5fbf8b4af33fb112cea0a4028a76803a38fab431f00a4a203c5c2bf97fc5e6
Instruction ID: b47976308077049fae6c59f624db3b312703e84f8b2ed07276574ed4f9cd8c1e
Opcode Fuzzy Hash: 6c5fbf8b4af33fb112cea0a4028a76803a38fab431f00a4a203c5c2bf97fc5e6
Instruction Fuzzy Hash: 0E51C2366012158FCB05DF64D8949ED7BF6FF89241F54806AE905DB3A2DB36EC09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074FEB78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfba344412f768716aaadb6bf361a9812c8663ba502ec022888ad01a9bbdf6b0
Instruction ID: 7c00cc530f77db488fb2ef8b3675f4a122751f6a8e7b1dbcab2c2fbd99489488
Opcode Fuzzy Hash: cfba344412f768716aaadb6bf361a9812c8663ba502ec022888ad01a9bbdf6b0
Instruction Fuzzy Hash: 484122317141549FDB089F74E8546EE7BF7EF89211F14806AE506DB3A1CF309C068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0750E5C4 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdc22441fcbb2441d7e2b0a1c94f186e30a6c93c3c25b5652af26ec987f5f10
Instruction ID: 2025a79dd838fbec78cb40a6ffb1ddbe0ef0db9270e12539f3299a9e998f1014
Opcode Fuzzy Hash: dbdc22441fcbb2441d7e2b0a1c94f186e30a6c93c3c25b5652af26ec987f5f10
Instruction Fuzzy Hash: FE41BEF0E2861B9BCB21AF64C859AEE7BB0BB45310F504826E802E72D5F674C9108AD1

Uniqueness

Uniqueness Score: -1.00%

Function 0750C408 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6531a6db9c241725a6cdbb5679a43b414a2ceff950887983fb8b3c0ff8d563d7
Instruction ID: 40574d03c99461c3a560b99282db92f1185f94506760cac94e302ded07f4387d
Opcode Fuzzy Hash: 6531a6db9c241725a6cdbb5679a43b414a2ceff950887983fb8b3c0ff8d563d7
Instruction Fuzzy Hash: 3F416FB5E00215CFDB28EBB4D4946FD76B2FFC9219F144929D401AB390DB358984CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 074FF459 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9f87e05c75c71a701cf0744879e1d15ed05f8f8adabcf314f9fef192dbb803
Instruction ID: 8dc4bf974de923b802468a3597d8b8e55d4a79fdddbdada06ddcfbe5db0e1521
Opcode Fuzzy Hash: 0a9f87e05c75c71a701cf0744879e1d15ed05f8f8adabcf314f9fef192dbb803
Instruction Fuzzy Hash: 814181B5E012189FDB48DFA9D895ADEBBF2BF89300F14802AE819A7354DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 074FEA51 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4ae364146ad69ac5dacc2c74296d451a704994f302ea542c68db2aa19273f69
Instruction ID: ecc3646c61cf9ddb4520f631c0abfab4e582b133c88896a4c13db6d7c6ce8735
Opcode Fuzzy Hash: d4ae364146ad69ac5dacc2c74296d451a704994f302ea542c68db2aa19273f69
Instruction Fuzzy Hash: A23116B1B042258FDF248E64D859BEE7BB6FB89212F148967E602D73A1CA31DC41C751

Uniqueness

Uniqueness Score: -1.00%

Function 074FE608 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a490a30a80b1c2089fd6643dfbdefd57d7a3f2cdd6f10a0764c0adfbac21a3d
Instruction ID: 9ee9498bdd10e0347fe635dd64f9e7aefa145a1a9cbdfdf5204e21192bfc143d
Opcode Fuzzy Hash: 6a490a30a80b1c2089fd6643dfbdefd57d7a3f2cdd6f10a0764c0adfbac21a3d
Instruction Fuzzy Hash: 07312DB03182394FDB258BB4D8986BF77A6EF81242B15446BE202CB3B2DF24CC408752

Uniqueness

Uniqueness Score: -1.00%

Function 074FF468 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b1a41ab5c24500609d882bb8f3b7052dedd9deec2952bd6e61e1e20b5edbd7
Instruction ID: 7267d10162056fe359d3f61a94a8c18228c89a29199395abd0e68f572c5d632b
Opcode Fuzzy Hash: 97b1a41ab5c24500609d882bb8f3b7052dedd9deec2952bd6e61e1e20b5edbd7
Instruction Fuzzy Hash: AC418FB5E112189FDB48DFAAD895ADEBBF2BF89300F10802AE819B7354DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 074F4B68 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a90c0a0cee7938d9c95b1f0d899e413bbee6279eec2148246c2b70267635cd5
Instruction ID: ed06940c4380cda05a5283c10e1f2d095df27a34ca74715e16e87f98b7b1a106
Opcode Fuzzy Hash: 6a90c0a0cee7938d9c95b1f0d899e413bbee6279eec2148246c2b70267635cd5
Instruction Fuzzy Hash: 193170B16002558FCB14DF69C8949BB7BF5BF89210705069BE615DB3B2DB70DC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 074F072C Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f385f153538b81911e9c5a16c7e2bf243751f0709c478fbdb28e27b88be75090
Instruction ID: dbc31359694bb06f0c510d4e11fe8b1916adc771702af63ec1890d9233370320
Opcode Fuzzy Hash: f385f153538b81911e9c5a16c7e2bf243751f0709c478fbdb28e27b88be75090
Instruction Fuzzy Hash: 3F4160703006018FC7249B38C558BAA77E2FFC5714F1589AAD65ACB3B2CB74AC49CB80

Uniqueness

Uniqueness Score: -1.00%

Function 074FA090 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f1b06e90111ee5c1a22fa5e23945aab801581bf27e4f4fdc699fa096f289aa
Instruction ID: 59df045fd17b779dfa734c68416db01543e880d5d0c81aab30ec496571a17e2d
Opcode Fuzzy Hash: c7f1b06e90111ee5c1a22fa5e23945aab801581bf27e4f4fdc699fa096f289aa
Instruction Fuzzy Hash: E5317E7171410A9FCF059F64D984AAF7BB6FF89351F408425FA0987350CB35D961DB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F4B78 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb595202fe6a79d2a01ef2f69a39e8a74ea638682c133facbc76ba5bdce2c56
Instruction ID: 17cb92f0f11fa856f8e8cb0abc262fa13ce4c91df0ebe2fe26299ab7ab3541e5
Opcode Fuzzy Hash: 2fb595202fe6a79d2a01ef2f69a39e8a74ea638682c133facbc76ba5bdce2c56
Instruction Fuzzy Hash: DA3169B16002598FCB04DF69C8849BE77FABF8921071106AAE615DB3B1DB30DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0750A4A8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3e24965a700305e260965cb83b7aed58b7609c93d7954bacbe7eba14addf99
Instruction ID: f27162a1e28b1d1a9999ebc868ae6591f4f16af24beed7bbb67cc985242ead01
Opcode Fuzzy Hash: ca3e24965a700305e260965cb83b7aed58b7609c93d7954bacbe7eba14addf99
Instruction Fuzzy Hash: B0414E76A001098FCF05DFA4D584AEE7BF5FF89300F5484A9E905AB2A6DB35ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F16B1 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9761ab2de82e2fb9ee44cff3b42c9a769da24df9a407319213a28873deffd4c2
Instruction ID: 0c8fb07265b046253c409a8a48b6eb07f20f464d0ae4c81e6aef0d5f6d6787c4
Opcode Fuzzy Hash: 9761ab2de82e2fb9ee44cff3b42c9a769da24df9a407319213a28873deffd4c2
Instruction Fuzzy Hash: DF312C75700219DFCB149F68C884AAA7BB6BF89221F114696E6259B3B1D771DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F16C0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5247776cbb42ec35e10c5dce477ba144910855b8037f6f19d266d1ea696681b
Instruction ID: 239c27755bc1f1a1324f71e725a6b76b3155e2c892ec9bca0e030067c772d98e
Opcode Fuzzy Hash: c5247776cbb42ec35e10c5dce477ba144910855b8037f6f19d266d1ea696681b
Instruction Fuzzy Hash: 18313C75700219DFCB14DF68C884AAE77B6FF88620F11466AE6259B3B1DB71DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F45A0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6314e201fd95884979165c87fb38ad6d2aaa0b13f436687a654e6fd2af4f65ba
Instruction ID: 3ad31b500ce6f1d46d82c536cca6787bfc027a13a4612af47385a42d84c45b7b
Opcode Fuzzy Hash: 6314e201fd95884979165c87fb38ad6d2aaa0b13f436687a654e6fd2af4f65ba
Instruction Fuzzy Hash: 09316DB13002129FD718DF39D898A6AB7B9FF84255715456EE516CB3A0CF36EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0750D3C8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458808a7d302b780668356baea6d98c194af71e90a7103371370f0d47e9549ee
Instruction ID: 4896aa4d5a20f7fd546064ab7601f6d52676d6e148c02d8d0e523896b1a67a2f
Opcode Fuzzy Hash: 458808a7d302b780668356baea6d98c194af71e90a7103371370f0d47e9549ee
Instruction Fuzzy Hash: 25312A71A00609CFCB14DFA8C955AEDB7F0FF49200F2445AAD505EB2A1D775AE40CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 074FD688 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8be5b0084548a679b746e37dec04822e87a91a33e7defd20de134958f94afd
Instruction ID: 63ee487643314fb2e130e6da1a2846f5bbe29de4d0ada5eb3977377fb4c191aa
Opcode Fuzzy Hash: 6f8be5b0084548a679b746e37dec04822e87a91a33e7defd20de134958f94afd
Instruction Fuzzy Hash: D12137B47242164BDB24663584B43BF66DB9FC1259F24803AE602CF390DF69CC429F41

Uniqueness

Uniqueness Score: -1.00%

Function 074FED21 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78474a4a5f6e70e80fb930a507acfce9e61010b2540a6636234517b45094c479
Instruction ID: edf69fdea4b79ae0df021b4c495b663311063e49cbd0028d0a633696210801ed
Opcode Fuzzy Hash: 78474a4a5f6e70e80fb930a507acfce9e61010b2540a6636234517b45094c479
Instruction Fuzzy Hash: 1A3154B1E001168FCB04CF68D884AEEBBB6FF85351B198166E5159B3B1C734EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074FD678 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6679d7bcf77db2a2ccf1fcb631f212d9130628a6a077e50a12b1f502190d44a3
Instruction ID: e1d7bbb71db1ab1860f751b2d1aaf0a1efd313ad9e33fbf2a07f8f8495529838
Opcode Fuzzy Hash: 6679d7bcf77db2a2ccf1fcb631f212d9130628a6a077e50a12b1f502190d44a3
Instruction Fuzzy Hash: 7D214CB47242168BCB24573594B82BF76D79FC1159B14843ADA06CF3A0DF28C8419F41

Uniqueness

Uniqueness Score: -1.00%

Function 074FF680 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69fe89152083170eb299e61e2107cf348f903a2d033b18589e1e2315987ae270
Instruction ID: 7d5a10cd0c215471df8becb18df6be0e9b6991df53fe9bf34fc8a8e6d076f2c8
Opcode Fuzzy Hash: 69fe89152083170eb299e61e2107cf348f903a2d033b18589e1e2315987ae270
Instruction Fuzzy Hash: 05310EB1E01229DFDB54CF66D8407EEBBB2AF86304F0484AAD548A7360DB754989CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0750BD58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2d9f2ea00eeffc9e9a4b7d5364abc8e7e62de12cc1eda9e5c9cec90604b046
Instruction ID: f9cb30ef3130bd1a31ca21408cf3dea15daa2f7411a0b6ada616beb6ee76accb
Opcode Fuzzy Hash: 9f2d9f2ea00eeffc9e9a4b7d5364abc8e7e62de12cc1eda9e5c9cec90604b046
Instruction Fuzzy Hash: 8E21AEF1F11B16CBCB256BA8C4845EABB70FF42240F504966D84AA72C4FB31D951CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 075077D8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6255a4421cda62f45ccc6dc429ddc9e76af455035eaf875ead3fdd225b901d97
Instruction ID: a397189d8592a5d95b5d00a615447d0508af34cde097ac73311755d2c315c138
Opcode Fuzzy Hash: 6255a4421cda62f45ccc6dc429ddc9e76af455035eaf875ead3fdd225b901d97
Instruction Fuzzy Hash: 48213AB6B006108FEF28CB64C8D15BEBBE7FF88214B18846AD146D3791DA34F941C761

Uniqueness

Uniqueness Score: -1.00%

Function 075077E8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a976816463b73a1b57ec585d107cd1834c0dc8445ee6a41dcaf66d91361574
Instruction ID: 39204ae2f0f2c87a73e8fe71d1ad50da9c031b8defbd2e6dc9cb02a6352fd05c
Opcode Fuzzy Hash: 95a976816463b73a1b57ec585d107cd1834c0dc8445ee6a41dcaf66d91361574
Instruction Fuzzy Hash: E4210776B005118FEF288A24C8915BEBBE6FFC8214B58846AD506D3790DA34F941C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 074F2850 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d850aef39103a9a4c2e140a36901ef790a7e271b232a9d2d7d73f7183db894
Instruction ID: a8864873e575fef584f3a574ce9096f8b79ef5d1a8e1cab9fd61ce3c33b26376
Opcode Fuzzy Hash: 60d850aef39103a9a4c2e140a36901ef790a7e271b232a9d2d7d73f7183db894
Instruction Fuzzy Hash: BF21E070600345CBC724EE39C4408AF77B5FF82204B104A2EE9528B290DB71E856EB60

Uniqueness

Uniqueness Score: -1.00%

Function 07509131 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8994c5906e916f0b630bc05163e8862f6ed4a958965dd120bf9deec2c3b461b
Instruction ID: 5438a1f148a6586db076fcd7b00f01a7c20650453b5959a55ae24a97f6ca98b1
Opcode Fuzzy Hash: a8994c5906e916f0b630bc05163e8862f6ed4a958965dd120bf9deec2c3b461b
Instruction Fuzzy Hash: 972139787105149FCB14DB28D4989AE7BF6BF88A04B0541AAE502CB375DF71EC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012BD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336448311.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728400a14fcfa51730fa16d9585b633a549ab4231432a68e4abaeac04778fff7
Instruction ID: 0df0a5c658e2232aa9af1ec5f39bab761e7ab8f11a192d8695e0328a0ac78934
Opcode Fuzzy Hash: 728400a14fcfa51730fa16d9585b633a549ab4231432a68e4abaeac04778fff7
Instruction Fuzzy Hash: 4A213671514248DFDB01CF54E9C0BD6BF61FB8836CF248568D9090B206C376E849CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012BD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336448311.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da104b0d5cdb932f6572a664d0e57c07ab36e32b6d693c1202797bffff75f6e3
Instruction ID: 4c0fec32a377a64a9bf74b8e430e8d67a2cda8fd454fc976d0b2f1e88734d15b
Opcode Fuzzy Hash: da104b0d5cdb932f6572a664d0e57c07ab36e32b6d693c1202797bffff75f6e3
Instruction Fuzzy Hash: 9C213671510248DFDB01CF54D8C0BD6BB71FB88368F24C5A9E9090B607C33AE84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 074FAEB8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61be306031c124b09be27a52d5566be8b95e59058bef63f695fb1148d129e00b
Instruction ID: 3f7ea088098ecac7ea45ffe587c02ff54389ec9cf6d187d07baeab553bf69d2c
Opcode Fuzzy Hash: 61be306031c124b09be27a52d5566be8b95e59058bef63f695fb1148d129e00b
Instruction Fuzzy Hash: 812105B53006128FC7289A25D484A6FB7A2FF8A766715C56AEA0ACF354CF30DC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 07508637 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0606897fda610b03cb87f654249859ad4573bf5f91f5783c36782bca9caecb2d
Instruction ID: b163db0ad5293dae6cc0a4c84cb4098305d1b399ed77b669045cdf9224844aa9
Opcode Fuzzy Hash: 0606897fda610b03cb87f654249859ad4573bf5f91f5783c36782bca9caecb2d
Instruction Fuzzy Hash: 2B21CD75300341DBDB289B35A464ABB73EABFD8144B04887DD942C7B94EF31E846C760

Uniqueness

Uniqueness Score: -1.00%

Function 074F2840 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 835a0314792f4f58034d882958aa8f37c783bb9745d9177e6c2d94f897011404
Instruction ID: aa5e12a03072ae281028555324fc2a18adfbe1177587620119073820d71582e9
Opcode Fuzzy Hash: 835a0314792f4f58034d882958aa8f37c783bb9745d9177e6c2d94f897011404
Instruction Fuzzy Hash: 7821FFB060034ACBCB209E39C4409EF7BB9FF82350F004B2EEA5186290DB75D956EB60

Uniqueness

Uniqueness Score: -1.00%

Function 012CD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336497868.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f33b8590978ee3200ed93d758e8f9985f1fc21634758485671aa53d5abb1124
Instruction ID: bb6676ef3e80bb7f5cf3c8dd14aa60edabea2b68751ba8841be4f06cbb325b45
Opcode Fuzzy Hash: 6f33b8590978ee3200ed93d758e8f9985f1fc21634758485671aa53d5abb1124
Instruction Fuzzy Hash: 1B213371514248DFCB10CF68D4C0B16BB61FB88764F24CABDDA094B742C376D84ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336497868.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0f31f04a7187a02305cfa51b95a7e217f2f9cc5a417491017bddd83264fd65
Instruction ID: dc2e45efba08de54f8719372a4e181be0779732b89ce0e66b3b74e6d0d3f6a1c
Opcode Fuzzy Hash: ba0f31f04a7187a02305cfa51b95a7e217f2f9cc5a417491017bddd83264fd65
Instruction Fuzzy Hash: E6212571514248DFDB01DF94D9C0B26BB62FB88724F24C6BDDA494B743C376D84ACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 074F458F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234398bc6203240968c599835f3ce3f8e870b71459d32143c516e64f1fe95e91
Instruction ID: 79ea06276586a82871fb4b57da814d3481c306a5d983bd44f2a898ee1a697ff0
Opcode Fuzzy Hash: 234398bc6203240968c599835f3ce3f8e870b71459d32143c516e64f1fe95e91
Instruction Fuzzy Hash: 532108B03052519FD319AF39C894AABBBA5FF85324B05456EFA058B390CF31DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 074F3C60 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4949bb4da4dc0ecb44c853992feb19b0ad3c9be8caf836718415e6d3ea6ad12f
Instruction ID: 2e97c2608c4dc6780c6a37fc1dd145d041d6812d8dc3ab83beaec8c150255101
Opcode Fuzzy Hash: 4949bb4da4dc0ecb44c853992feb19b0ad3c9be8caf836718415e6d3ea6ad12f
Instruction Fuzzy Hash: 75219075304605CBC718EE359495AEFB7A7AFC5224725843ED60AC7350DF70EC029790

Uniqueness

Uniqueness Score: -1.00%

Function 0750C6D0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248ff8ad626b7888a3a7df452022b3125cdbd01c936e9dff4db42b2fb5247331
Instruction ID: 4a73d1a322d32afe55866a8575c40e39f25e057d7dffe2e10dba2f6fcc7babff
Opcode Fuzzy Hash: 248ff8ad626b7888a3a7df452022b3125cdbd01c936e9dff4db42b2fb5247331
Instruction Fuzzy Hash: 8221CF35A10219AFDF05EBB0D8489DEBBB6FF8A304F448A19E101BB250DF75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F4460 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311112fa2010722c3fac80171e2969ac04fec392d07c35d6432cc7b68088037c
Instruction ID: 47f57d9176ed1217de7be64128a5f96bd935220efa57e12a150aeb0c3933775c
Opcode Fuzzy Hash: 311112fa2010722c3fac80171e2969ac04fec392d07c35d6432cc7b68088037c
Instruction Fuzzy Hash: 7B219F706006418FDB24EB2DC444BABB3E6AF85315F09897ADA09D77A0CF74EC46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 074F24E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a16e9c097d7fe5cea027b1b9a1436301cd5d8b718fbd12d6854e0e44a435a1
Instruction ID: fc833d19e1b389ddf41c3e0bb93ec9691b7ad476f567d8f9ff90c0f98cec5a85
Opcode Fuzzy Hash: 52a16e9c097d7fe5cea027b1b9a1436301cd5d8b718fbd12d6854e0e44a435a1
Instruction Fuzzy Hash: 75218E71700A129FC7649A29C894BAAB3A6BF84214F54856AE61DCB350CFB4EC4A8780

Uniqueness

Uniqueness Score: -1.00%

Function 0750E594 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00836e0d5771dcbb320e2ee158cf1d0124f7cede39ac0aaec0d1e75221d6e569
Instruction ID: af2e69dfa340cba94d9986a65275a6d6e9a0be55d4a9c90a364155b7998f5fe8
Opcode Fuzzy Hash: 00836e0d5771dcbb320e2ee158cf1d0124f7cede39ac0aaec0d1e75221d6e569
Instruction Fuzzy Hash: 8821F4B19113099FDB10DF99D984ADEFBF4FB48314F64882EE419A7740D374A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07506E30 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9071bb0da3caa19b7fc77a8e79079597951f6c83323f570a9c94a1b107423cfa
Instruction ID: 469944d425c7bb074189ca59337413af885f8a169f35fff207e8db6a7b7fbb0d
Opcode Fuzzy Hash: 9071bb0da3caa19b7fc77a8e79079597951f6c83323f570a9c94a1b107423cfa
Instruction Fuzzy Hash: EF1173B16097849FD712DB74D855BDB7FB4EF42240F0800DFD584CB6A2EA62DA14C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0750BD48 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64935411855d55ef7e34fe371bd68687106d2abdc71be2dfef0109f993bd22f
Instruction ID: 3cb834ebcd066ae806cc4738e67a559812cd7415f06158258918fab1e6fda83d
Opcode Fuzzy Hash: b64935411855d55ef7e34fe371bd68687106d2abdc71be2dfef0109f993bd22f
Instruction Fuzzy Hash: F91194B2F05216EBCB116AD5D5446FD7FB0FB81248F600CA2C889B32D4F23186348AD5

Uniqueness

Uniqueness Score: -1.00%

Function 074FAEA8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c352bebe8bd06e7d7100da525ca7f6af2f460322df0c492ab8fad98e07fe508f
Instruction ID: 82b417f2bd932e4859f333f24761d545b12a61d6a7ab66295ccc8b22b5c07509
Opcode Fuzzy Hash: c352bebe8bd06e7d7100da525ca7f6af2f460322df0c492ab8fad98e07fe508f
Instruction Fuzzy Hash: BA11E7B17056128FC7299B29D49496B7BB6FF8626231584ABFA0ADF351DF20DC018790

Uniqueness

Uniqueness Score: -1.00%

Function 07506800 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71456d52db654d136b6cf061220df049249b5ed2e99fb87fd9cd3678297479c
Instruction ID: 401214d121f4229b4b84be2fc818ec896f1b90665432cc6a06f2a328ce13fcd2
Opcode Fuzzy Hash: a71456d52db654d136b6cf061220df049249b5ed2e99fb87fd9cd3678297479c
Instruction Fuzzy Hash: 30212C71E0020A9FCB04DFADC8449EFFBF9FF88200B10855AE518A7211E7709942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012CD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336497868.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f42ee2aa791adf60bb1db09a6fd02ef5378a8ddfe8d5c1ef62fcd05896a781d
Instruction ID: c8fd4742775aca4720305b3c8ee5a6c44ffa1841d4e4cad9fee2ae109a7d4454
Opcode Fuzzy Hash: 0f42ee2aa791adf60bb1db09a6fd02ef5378a8ddfe8d5c1ef62fcd05896a781d
Instruction Fuzzy Hash: B92192754083849FCB03CF68D994B11BF71EB46714F28C6EAD9458B657C33A984ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 074F4470 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b44ecc51daca8e083b1c5780dd1c5ac570f8e8315161ac6681d7904a4e0ad7
Instruction ID: 20ddb2935403815d65294496a70967b7a9409d3e2ac8c130db7483356721ab74
Opcode Fuzzy Hash: 90b44ecc51daca8e083b1c5780dd1c5ac570f8e8315161ac6681d7904a4e0ad7
Instruction Fuzzy Hash: C2116D703006418FD728EB29C444BABB3E6AF89315F09887ADA09C77A0DF74E845CA55

Uniqueness

Uniqueness Score: -1.00%

Function 0750F228 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cd72cfed94b935ac20eb844c5e8a2ddb34cd87811b5427a75799d0766cc62d
Instruction ID: eeadd71df571233379ccfa446c35e7975ee4d9a25c0eea6854c9aa7bb8fc5eab
Opcode Fuzzy Hash: c2cd72cfed94b935ac20eb844c5e8a2ddb34cd87811b5427a75799d0766cc62d
Instruction Fuzzy Hash: BE212F30914B09DBCB14FF68C9556EEB7B1BF89300F10892DD45577290EF75A948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 07506810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2989b9b19c5112dc146dce656a469f1a90491e78bc03c3fef074b22fccc6b5ef
Instruction ID: eb7e4179c71b3b25f90e883270fa3a59bd15ee1e44d3511931c826d189686589
Opcode Fuzzy Hash: 2989b9b19c5112dc146dce656a469f1a90491e78bc03c3fef074b22fccc6b5ef
Instruction Fuzzy Hash: 5821FC71E0020A9F8B04DFADC8448AFFBF9FF98310B10855AE518E7211E770A952CB90

Uniqueness

Uniqueness Score: -1.00%

Function 074F7388 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4602f329df6660448421e0ec8aee165f284282014cca41516a31d49cfdaebcb
Instruction ID: 2fdc6350564fbc8610775745bcfc621c7924b7712fdbab0ceb7c3081216bd0b6
Opcode Fuzzy Hash: f4602f329df6660448421e0ec8aee165f284282014cca41516a31d49cfdaebcb
Instruction Fuzzy Hash: 5C1108B0A44144AFC705EB78C4550EC7BB2EF86204BA481AAC219CF7A1DF316C5FD792

Uniqueness

Uniqueness Score: -1.00%

Function 074F731B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6412e6f04ee8df5547e7be6a42401490c4eb8066e76cea811d027c815dd2b3c1
Instruction ID: 96604d551b72e1bddad4fdae463e8163e3620b7c4438de889bf60a42517c8f45
Opcode Fuzzy Hash: 6412e6f04ee8df5547e7be6a42401490c4eb8066e76cea811d027c815dd2b3c1
Instruction Fuzzy Hash: E01106F5509285ABC316CF78D8556997FB0DB42214F9C82EFCE488B3E2D33A9856C742

Uniqueness

Uniqueness Score: -1.00%

Function 012BD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336448311.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939b8f6cb92a788342e5b4ce8085052b16ec77100d7f5ff06dca7e4d14cb17ff
Instruction ID: 549e9d289972c4e106b2d16a5ba7b2b8e61bb1c98fbe05b2ada07990d5e29bfb
Opcode Fuzzy Hash: 939b8f6cb92a788342e5b4ce8085052b16ec77100d7f5ff06dca7e4d14cb17ff
Instruction Fuzzy Hash: 0711D376404284CFDB12CF54D5C4B96BF71FB88368F24C6A9D9450B617C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012BD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336448311.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939b8f6cb92a788342e5b4ce8085052b16ec77100d7f5ff06dca7e4d14cb17ff
Instruction ID: 778cb93d161e02423c37ebb9eed67bb4559d17b519f1808f87e7f935b6eee298
Opcode Fuzzy Hash: 939b8f6cb92a788342e5b4ce8085052b16ec77100d7f5ff06dca7e4d14cb17ff
Instruction Fuzzy Hash: 4D11B176904284CFDB12CF54E5C4B96BF71FB88368F2886A9D9050B617C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07508B64 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c9e1ce200bd1694fbfe12068ad9d4e402aedd32b3feb4812778c3038498d4a
Instruction ID: c9a6a2a1e7d2e829581c6d03cca313454ced2cf7a5527be433d25c39f861e336
Opcode Fuzzy Hash: 72c9e1ce200bd1694fbfe12068ad9d4e402aedd32b3feb4812778c3038498d4a
Instruction Fuzzy Hash: AC118E317101119FCB04DB69D898AAFB7EAFFC9704F408869E108DB361EB72AD4587E1

Uniqueness

Uniqueness Score: -1.00%

Function 07507928 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310ff5a7203092cf59a03af5588fe16be329d59efdd220c5c95c49d9c21806ff
Instruction ID: dda3e5b0d4add3593578d8656c0304eea73c709bfc3ac828f3e047315d491875
Opcode Fuzzy Hash: 310ff5a7203092cf59a03af5588fe16be329d59efdd220c5c95c49d9c21806ff
Instruction Fuzzy Hash: 7511BCB5E0021A9FCF45DFADD8449AEBBF5FF8C210B10816AE958E7315E7309912CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074F3C50 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af374970e6869133e7557e97bfc8cd9f9661c33e7fd2be21d622de83d8a95415
Instruction ID: 718b3cc1b0a0e546bb283a67591aff02f46faac6551bfb82f749cb0b70aa3ac5
Opcode Fuzzy Hash: af374970e6869133e7557e97bfc8cd9f9661c33e7fd2be21d622de83d8a95415
Instruction Fuzzy Hash: CB0126B63042419BC7299E3494956EB77A2EFC6221719446FD609C7310DF30AC0697D0

Uniqueness

Uniqueness Score: -1.00%

Function 0750A1B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e586b8e5f8e22edd3b0e21f37d9220f9f040af2543623c8555ff54891532579
Instruction ID: ee84dc2dffcef993036861630969a80531463eebb352ed2870cd0bb062e27879
Opcode Fuzzy Hash: 4e586b8e5f8e22edd3b0e21f37d9220f9f040af2543623c8555ff54891532579
Instruction Fuzzy Hash: 6801B1753006018FDB28AA75D490BAE7396FFC4654F14847AD10ACB791CE3A9C41C780

Uniqueness

Uniqueness Score: -1.00%

Function 012CD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336497868.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12cd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914b47b52eb416d8c2029453fd14364f30e4d74c62ff008a8db9dda63a452011
Instruction ID: 6c3de1941f9c68e8925f81dc92837bce8f38b68c0fff21a3946d8733e4a3fa8a
Opcode Fuzzy Hash: 914b47b52eb416d8c2029453fd14364f30e4d74c62ff008a8db9dda63a452011
Instruction Fuzzy Hash: 3111EE76404284CFDB02CF54C5C0B15BB72FB84624F24C6ADDA484B657C33AD40ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 07507938 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44432a1cfa7156291b9e89730e492eceb9e116bf08df8e3788284a61d29d428e
Instruction ID: 99316fa9c23661bee2b643c5a85ffce0c2cc7496cff3ab12912561816b989072
Opcode Fuzzy Hash: 44432a1cfa7156291b9e89730e492eceb9e116bf08df8e3788284a61d29d428e
Instruction Fuzzy Hash: 6B1189B5E0051A9F8B44DFADC9449AEBBF5FF88210B10816AE919E7315E7319911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0750A400 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a938c035b056e2a981a5ac242131d648aae97564ac2c10bfd9ce2b41d355f6e0
Instruction ID: 986bc3996552f6480ed02dc6c28a131ba0089f479d648a99d5fc5a22e1c7a544
Opcode Fuzzy Hash: a938c035b056e2a981a5ac242131d648aae97564ac2c10bfd9ce2b41d355f6e0
Instruction Fuzzy Hash: C411CE317102108FCB04DB68C894AAEBBF6EF88305F40846AE004DB365EB729D058B91

Uniqueness

Uniqueness Score: -1.00%

Function 074F2E47 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bef6028308d74b808cb373aa830aae82f4c4e5c0b8ae8aaac579c2c1eed650
Instruction ID: 68ad3b744585c072b67fb6d007ddf0382e15803ca85c3cee38c78a281b7726fd
Opcode Fuzzy Hash: d6bef6028308d74b808cb373aa830aae82f4c4e5c0b8ae8aaac579c2c1eed650
Instruction Fuzzy Hash: 84116DF2B046128FC714CF28C894BAA77B4FF4922572506ABE214CB3A1D7B0DC40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0750CAB8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b84f4748ef1610e980df2b16543aa31b24f5af1aea671cf49b93d9782440b4d2
Instruction ID: d9b21c4591310b76cc411a6fd4e1f2faf9a9a9016f27cc576209f48e92ef2609
Opcode Fuzzy Hash: b84f4748ef1610e980df2b16543aa31b24f5af1aea671cf49b93d9782440b4d2
Instruction Fuzzy Hash: 95017C753406009FD728EF6AE804F6A73A9EF85624B144569F506CB6A0CB21EC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 074FAA50 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49537279f7f75200e9c04ef78739708647282b8ec5042468e8fafc41162cfa0d
Instruction ID: 0ee8acb3532576727bf97c493a16835f597fbe899f5fd9641eec12ac8aa2eecc
Opcode Fuzzy Hash: 49537279f7f75200e9c04ef78739708647282b8ec5042468e8fafc41162cfa0d
Instruction Fuzzy Hash: 4C01F7B2B05106AFCB06CE54A900ADB3FB6DBCA751F18C067F618C7250D67589068B90

Uniqueness

Uniqueness Score: -1.00%

Function 074FAA60 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854eea8e49bce38f4ce01b56a2272dc4a3f5c32d63e30a6fafb2ef93f0084fd9
Instruction ID: cb9e76a73bdcfe1731a86337bfd08422e868c3e43e071a2be92e1791799a8c2f
Opcode Fuzzy Hash: 854eea8e49bce38f4ce01b56a2272dc4a3f5c32d63e30a6fafb2ef93f0084fd9
Instruction Fuzzy Hash: C6012672B04019ABCB05DE559800AEF3BEBDBC97A0B14C06AF609C3340CE718C0597D1

Uniqueness

Uniqueness Score: -1.00%

Function 074F78B1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0da40dad4c690f553ce493c876910f07e5fe5a4cf68461ccfc3c9e51a1d74ee
Instruction ID: f117f198c62d145d6758f3b1cc882fd239f524878ab52e9adc4b9de31a5f5e4c
Opcode Fuzzy Hash: e0da40dad4c690f553ce493c876910f07e5fe5a4cf68461ccfc3c9e51a1d74ee
Instruction Fuzzy Hash: E701F2F06057128BDB269A359000BE67BE59F02254F44446FD349877A1D739E885C790

Uniqueness

Uniqueness Score: -1.00%

Function 075068A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8179bc62e6db411912e631096cef59ec34232f1c5faf16d1a469c7e24fb3219b
Instruction ID: f195113320adb126abd15e833c2cb22ec55431b96215031ce99144528926aa22
Opcode Fuzzy Hash: 8179bc62e6db411912e631096cef59ec34232f1c5faf16d1a469c7e24fb3219b
Instruction Fuzzy Hash: CB017C713002018FCB14DB19C454BA6B3E6FF86718B158CBAD409CB7A1DB36ED56CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012BD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336448311.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64141e27e4c20a920d86c71a63d10eeaa68a31a2bb231466a6a5a2f623a43dc1
Instruction ID: e896c40d7c84367dae4e2dff104a464fd44db2668f34dd0b48dd1795ee5c76b7
Opcode Fuzzy Hash: 64141e27e4c20a920d86c71a63d10eeaa68a31a2bb231466a6a5a2f623a43dc1
Instruction Fuzzy Hash: C201F7314143C89AE7145A55CDC4BE6BF98EF413BCF08855AEA094A746C3799848DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 075068B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000c1ee3f626fdec1ac82c0b9e3bc6f6f84282f7da8c4a4cb3f368b246c0ea59
Instruction ID: 1107ba288cb2592b666a450aef4c80d5fab97d0235c85de6abeb85f42d1377fe
Opcode Fuzzy Hash: 000c1ee3f626fdec1ac82c0b9e3bc6f6f84282f7da8c4a4cb3f368b246c0ea59
Instruction Fuzzy Hash: 11016D703102018FCB14DB19D454AA6B3EAFF85714B1588BAD409CB7A1DF71ED46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0750B998 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63af790073fd8ceab90303ea9c8eee2a575b91eea422d4ac8cc6cdf3319b4e0
Instruction ID: 032e6d94c0b7962b9d893b58f099137afef29aa603d1b2597899daac75d6457a
Opcode Fuzzy Hash: d63af790073fd8ceab90303ea9c8eee2a575b91eea422d4ac8cc6cdf3319b4e0
Instruction Fuzzy Hash: 8A01E9B4E0020ACFC700EF98D884AAEB7B1BF48310F208456D915E7351DB359D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 074F78C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3592033bca0f1456a4bdc1be1fd8d39912a4f621c4a92c8671aa84a633371e
Instruction ID: 4ab10a30c44604350673ca8c3eda3cc7580dbef7960c6d30afed6570a40a34b1
Opcode Fuzzy Hash: 8d3592033bca0f1456a4bdc1be1fd8d39912a4f621c4a92c8671aa84a633371e
Instruction Fuzzy Hash: FFF022B0600711CBEB25DA26D000BEBB3E5EF45358F40886ED60AC77A0DB79EC85C790

Uniqueness

Uniqueness Score: -1.00%

Function 0750F4D8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b8a2aef88ac3cfa1d82354444358ef0c545f8a01babcc449cd0828958b3f895
Instruction ID: 1af28b9aa71fd8fcab9ce13b8515b6ed8de825f24c845e8e7e165cb3d3aa2bfb
Opcode Fuzzy Hash: 8b8a2aef88ac3cfa1d82354444358ef0c545f8a01babcc449cd0828958b3f895
Instruction Fuzzy Hash: E801D63191060A9BCF10EF79D8448C9FB76FFC9304F118729E10567150EB70A599C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 075078C0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a6cb249b8b364bd9c192838c449bc87bfe716e60b899a8275e67e11888022f
Instruction ID: ea2fd87e513fc4d59f64375defc4ea19d3d070a635fe395eb17cb7fa0536d44a
Opcode Fuzzy Hash: 59a6cb249b8b364bd9c192838c449bc87bfe716e60b899a8275e67e11888022f
Instruction Fuzzy Hash: 64F0F632A105089FC710FBA9D844DCEFBF8EFC9710F04416AE20497320EB71A94687A5

Uniqueness

Uniqueness Score: -1.00%

Function 0750B989 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d63179361e7724edadee0ec241b4be4acae190ed446058f8b6800f3726fb23
Instruction ID: 1dfcae82f308631a5e86012c51b74bbcf1880b4ef2b50fd79ba2129ea7a8d33b
Opcode Fuzzy Hash: d6d63179361e7724edadee0ec241b4be4acae190ed446058f8b6800f3726fb23
Instruction Fuzzy Hash: 420112B0E0124ACFC744EFA8D888AAEBBB1BF49304F24889AD815E7391D7345D01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012BD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336448311.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2501d09b33915702579c7f4bfa6f0f91391211114a69c385eb21523eb7c780e3
Instruction ID: 8f5b801f7a4202d756c23affde60a3f887a6d754385f9dfa0f7d7fc3f74705b1
Opcode Fuzzy Hash: 2501d09b33915702579c7f4bfa6f0f91391211114a69c385eb21523eb7c780e3
Instruction Fuzzy Hash: A8F0F6714053849EE7159E19CCC4BE6FFA8EB41778F18C45AEE080B386C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 074FFEE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8335daada7fdde11284d8aaedcc0d64b66989455f6697effbbf390bad8212c66
Instruction ID: 493dfa113c045c8ee351c8f69d203991a857d9954458c77ee03d844bfc3445ef
Opcode Fuzzy Hash: 8335daada7fdde11284d8aaedcc0d64b66989455f6697effbbf390bad8212c66
Instruction Fuzzy Hash: 4DF0E2B23046514FC7215B39A80867E3FAA9BC7622B0D40A6F505C73A3DF188D0493A0

Uniqueness

Uniqueness Score: -1.00%

Function 0750BBAE Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8814347bddff0f644c93a9b987b0a9352f41686c22cb1d79944f8394fe68e611
Instruction ID: 357a5140dc1c3bbfc5a3c48573b2294bcbf84fc473851cb3e02235cf28166dbb
Opcode Fuzzy Hash: 8814347bddff0f644c93a9b987b0a9352f41686c22cb1d79944f8394fe68e611
Instruction Fuzzy Hash: CD01C4B190010AEBDF15CE94DD89BEEB7B2BB49301F148055E912362E0CB729890DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07509958 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5d9ac1a639078925c77a4e182a778a0f8d02c1a6818d023d8efaaa222c8003
Instruction ID: 89af1a7e39ce559ce80612686cb6f914f32aac442414338621a41f6997431e72
Opcode Fuzzy Hash: af5d9ac1a639078925c77a4e182a778a0f8d02c1a6818d023d8efaaa222c8003
Instruction Fuzzy Hash: 5EF0E235B08A505FCB1AAB69A418D6E3FAA9FC955031500AAE408C73A7CF658D02C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 074F7927 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3538c3d8b7ab2c024063ca82b621f855e5fd0fe80f07e9d28fd83390b16fd8
Instruction ID: 505bdca62febe5c59d8a1f75814b9b7904f411f6a88b5ced97fc87457f98248a
Opcode Fuzzy Hash: 7f3538c3d8b7ab2c024063ca82b621f855e5fd0fe80f07e9d28fd83390b16fd8
Instruction Fuzzy Hash: 5EE0E5713091412BD716523D9488DAA7FDDEF8B5A5B9900FEE208C7733C8158C068390

Uniqueness

Uniqueness Score: -1.00%

Function 0750DA78 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eabedaaf70cd6147f141042134637b0fcc1089350b4418988392d9d77935e84
Instruction ID: 1f4a409113a88a563c494057d83742d495166bff88ed23297cd16a8d247560ed
Opcode Fuzzy Hash: 7eabedaaf70cd6147f141042134637b0fcc1089350b4418988392d9d77935e84
Instruction Fuzzy Hash: 0DF0E2B0209368DFD3056F29C8614E67BB5FB4360435448ABD048CB7A2C675EC85C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 074F5CA1 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e088739beca4f3c2b7953bbcee9ab5a62c5b21d504ba85e4646da966dde1d2
Instruction ID: 0a2ef769291d4cdfdad7e1684fe74529c14582dd92f0909be58f5e6357ff4238
Opcode Fuzzy Hash: 59e088739beca4f3c2b7953bbcee9ab5a62c5b21d504ba85e4646da966dde1d2
Instruction Fuzzy Hash: 6FF0B47250028DAB8F119E588C044DA7BB4EE06224B188567EAB5D2242D338D530D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 074F4530 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75311aa9d978b56897759fddb8022339274f008422aa600e8a96ebefdacb9a6c
Instruction ID: cc410b7c13c0abe9ce9d16333ba1d3aaf826291033904130d21aa1b53966adb9
Opcode Fuzzy Hash: 75311aa9d978b56897759fddb8022339274f008422aa600e8a96ebefdacb9a6c
Instruction Fuzzy Hash: 51F0A0312102149FD714AB38C419BDA73E9BF85714F04487ED28ACB361CE70AC85C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 074F67C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8100e93ccacec59a41478b353ad6a0fb5603fd9c33bed1f0a4ea02071aabd337
Instruction ID: da36312d594400c747436c7ff27b233c898431d5425b845fd12b1b4b99225b94
Opcode Fuzzy Hash: 8100e93ccacec59a41478b353ad6a0fb5603fd9c33bed1f0a4ea02071aabd337
Instruction Fuzzy Hash: FEE08631355011AB8214636E94DCDBAB7DEFBDE5717A404BBE60DC7321CD119C059394

Uniqueness

Uniqueness Score: -1.00%

Function 074FFEF0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f451fb20cfdc2ce93bdf0894b5cabf5fc3ee3b455a8763d38dd65021664221a
Instruction ID: 85c2448655d9c86a1f3c9ab4742cb838ece35bb44713529fb647f95303ea0b05
Opcode Fuzzy Hash: 0f451fb20cfdc2ce93bdf0894b5cabf5fc3ee3b455a8763d38dd65021664221a
Instruction Fuzzy Hash: B0E048333149108FC7545629E84957E7BEADFC9A32319807AF50AC7361DF658D019764

Uniqueness

Uniqueness Score: -1.00%

Function 074F7CA8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d52b4153549664fe8ef876f7160f05fe8bc11bcc05245b77352b8274794c37
Instruction ID: 6e940b03a13b2741220c6b912a96b857e6fe1533f75353c3dd69c9c5433e5ee7
Opcode Fuzzy Hash: b8d52b4153549664fe8ef876f7160f05fe8bc11bcc05245b77352b8274794c37
Instruction Fuzzy Hash: 64E0D8F26083D25BC326462E64085E77F968BC6131B4DC0A7E249C7292DE299C03D3D1

Uniqueness

Uniqueness Score: -1.00%

Function 074F6E90 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4737a234a86d3be54f50f187dd7856472c7bc174d50f7591e61e27da4ec828
Instruction ID: 5664e7e63b2289194006e12e8818af699a2aa8afd861f3e7d7d1da554e724fbb
Opcode Fuzzy Hash: 6f4737a234a86d3be54f50f187dd7856472c7bc174d50f7591e61e27da4ec828
Instruction Fuzzy Hash: B6E0DF3130D1804FC304973DA8988AABFEAEFDA1A075844FBE14DCB3B2C8518C098360

Uniqueness

Uniqueness Score: -1.00%

Function 07505FC8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2697d03f104a61f51478d63ddbb059781664c8750365706998f2f94c9d0e71ec
Instruction ID: 6bb5e7271cdb69ff22a6ad7a890adae876bfae77a56cd531aab3494d82f4ee4d
Opcode Fuzzy Hash: 2697d03f104a61f51478d63ddbb059781664c8750365706998f2f94c9d0e71ec
Instruction Fuzzy Hash: 5BF0F878901108AFCB54EFA9D556A9DBBF4FF09304F5481E6D848D7720D7349A91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 074F0D08 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e2528b400d64af512c26abfa5fc3cf2242791f0ef39fecd4d142fa17a2d9ec
Instruction ID: 3ef050e658b7c5e459c7022a6065093404937226d2950bef4d549fb48636c37f
Opcode Fuzzy Hash: 38e2528b400d64af512c26abfa5fc3cf2242791f0ef39fecd4d142fa17a2d9ec
Instruction Fuzzy Hash: 80E02BB6D051199FCB00DA68ED456EFFFB4BB44321F108563D918E3111D3304908C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 07506288 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb5764c5adc4e494a761024560c000137f9b8d73dc0190a067e6fd5beb40fb7
Instruction ID: f1f33d2acadf9c7f8b0b0c53c8f3da3de2cc0e20a02c38ac1d3be60a5b7f177d
Opcode Fuzzy Hash: 5bb5764c5adc4e494a761024560c000137f9b8d73dc0190a067e6fd5beb40fb7
Instruction Fuzzy Hash: 70E022B041124CDEC712EBB4A8143DDBB79FF02300F00029AE08816611EB3151A0C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 074F5EF0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71da30bfafae0b6b8a16c15b8f06d7146341c20c18771d5bf92c59cbd39b078f
Instruction ID: 4c808c7d4e62193739a3f8c1fd1eb50df3bd82aa689f5423ff2a569fd7d8e884
Opcode Fuzzy Hash: 71da30bfafae0b6b8a16c15b8f06d7146341c20c18771d5bf92c59cbd39b078f
Instruction Fuzzy Hash: B3E022B14162C88EC326EB74D9286DABB38FB43200F0402DFC64007231EB310658C722

Uniqueness

Uniqueness Score: -1.00%

Function 074F4540 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddcda84e155277dd2becd16b18f2425ffb5c3be1cf4e3a157e0aac8b7ee999c
Instruction ID: 15cae1e148805092e83c3516dc25c981f8e50222fff37f00e883d56cdaf838a9
Opcode Fuzzy Hash: 4ddcda84e155277dd2becd16b18f2425ffb5c3be1cf4e3a157e0aac8b7ee999c
Instruction Fuzzy Hash: AAE0ED303506258FD714AB78C418BEA73D9BF84715F01846AD64A8B360CEB1AC85C780

Uniqueness

Uniqueness Score: -1.00%

Function 074F6EA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c40bde93ed4d4744dccb36d186060dbc0ac9cdc931da28a43bec7e444dae207
Instruction ID: 1492e8e8a82e954913abcc14ba8a649fa1ba36c29724d4b08dbe0f2295c47c18
Opcode Fuzzy Hash: 4c40bde93ed4d4744dccb36d186060dbc0ac9cdc931da28a43bec7e444dae207
Instruction Fuzzy Hash: 8BD012313141505B8714A66EA88886ABBDEEFC95B075544BAE60DD7321CD62DC0543A4

Uniqueness

Uniqueness Score: -1.00%

Function 074F0D18 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61aa8b92110ecaa06180cd80f5eb43d37289ed3193cd129225522bb5f306720
Instruction ID: 617c46da717f05a6740909372dcdfad588e33e41555b119364da374f70a667ab
Opcode Fuzzy Hash: e61aa8b92110ecaa06180cd80f5eb43d37289ed3193cd129225522bb5f306720
Instruction Fuzzy Hash: 9DE04F71A1011DABCB10DA69EC489DFFBF8FB88361F108126E618E3200D7705A1487E0

Uniqueness

Uniqueness Score: -1.00%

Function 074F0900 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cba172dd102bebe01f6a65e955cdedcd4169531751e8017046b36887ddfefca
Instruction ID: 7324ced947dba1e0ca20d50a605037ac19199ea487d001253d6d1fa101a603a3
Opcode Fuzzy Hash: 1cba172dd102bebe01f6a65e955cdedcd4169531751e8017046b36887ddfefca
Instruction Fuzzy Hash: 70E04F71A1011DAFCB00DA5AEC889DFFBFDFB94361F508126E518D3211D7705A15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07509912 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f285ad95822dd9655873cdb18f36b6a936807d0d745fa07612af914b5715864
Instruction ID: 68bc732d927c6a034d3aa8259623a83051ef31bc2f62c57752d62a500eeea84b
Opcode Fuzzy Hash: 9f285ad95822dd9655873cdb18f36b6a936807d0d745fa07612af914b5715864
Instruction Fuzzy Hash: B9E0D8307006548FC7155B29D419B9B3BE9BF45750F044449F585C72A1DBA4AC418FC6

Uniqueness

Uniqueness Score: -1.00%

Function 074F7CE9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e704a4ed7aeb374e242ff9110213f21151620e195918d819d65e55351b20f1b4
Instruction ID: c1cf298adb9d186dfcaa9aa539967fe7072619a413abe6ea4150937a4bb75ebd
Opcode Fuzzy Hash: e704a4ed7aeb374e242ff9110213f21151620e195918d819d65e55351b20f1b4
Instruction Fuzzy Hash: DAD02BD210A2D1078E03117214500E92FD84A9346038D11EFDF428B793DA49480043E2

Uniqueness

Uniqueness Score: -1.00%

Function 075085F9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337bea2a8c1513c7e668f3255882cb49d263538c514184d10ffcc2ad65317315
Instruction ID: 0479569e6c068f34270ba0bd23c8943560864b2f7bb992f0f43eb82ffff3a1e2
Opcode Fuzzy Hash: 337bea2a8c1513c7e668f3255882cb49d263538c514184d10ffcc2ad65317315
Instruction Fuzzy Hash: 32E09A74850148DFC304DFA8E825BADBF74BB09300F5001D8E48017365C7305942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07505FD8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777a78bbf08d8013eb8c7e480825a11fe965c58c40b6baf7f4e63cdbac4297df
Instruction ID: 69b14406aad2e5c76334802e3d59263f49e5c02fb3705095b4cb98a22a9fde4d
Opcode Fuzzy Hash: 777a78bbf08d8013eb8c7e480825a11fe965c58c40b6baf7f4e63cdbac4297df
Instruction Fuzzy Hash: 0BE0A574E012089FC750DFA8D559A9DBBF4FB48300F1081AAD80897350D7349A40CF41

Uniqueness

Uniqueness Score: -1.00%

Function 07505F80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 988e855628d1b72a852b9f940cd8a7d53776528a007ed2c3f3e2bc7c15e9fec6
Instruction ID: 77a9ad38ba11c122f3ee78ebd144dbb1b85ae773b1cce8704388c00bd74d5906
Opcode Fuzzy Hash: 988e855628d1b72a852b9f940cd8a7d53776528a007ed2c3f3e2bc7c15e9fec6
Instruction Fuzzy Hash: 53F0E570D053849FC721CBB4D42458DBFB0EB02351B2042DBD85457291C7350546DB12

Uniqueness

Uniqueness Score: -1.00%

Function 07509920 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ed0f422e40c77e825a92168f07056cdb8ff46d46238c27f5e91a6b3eadbead
Instruction ID: e3e2bc52104c6e9937607a6acfe3cf03f22d7ee6ea402ab1026351e7f25f7210
Opcode Fuzzy Hash: 99ed0f422e40c77e825a92168f07056cdb8ff46d46238c27f5e91a6b3eadbead
Instruction Fuzzy Hash: 68E08C30700A258FC728AA19D019B9F37E9BF48690B00445AE54AC72A1CBA1EC508FC6

Uniqueness

Uniqueness Score: -1.00%

Function 07505F90 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b639b410f4a216726d91848a905c453d007e6c39691f79d1f0bd7c02c0b43b8
Instruction ID: 5177c9a37623ea7a0a4e07279d602c18d2449108126510ebd45f98694f62aded
Opcode Fuzzy Hash: 9b639b410f4a216726d91848a905c453d007e6c39691f79d1f0bd7c02c0b43b8
Instruction Fuzzy Hash: D3E01AB4D01208EFCB54EFA8E41569DBBB5FB44300F1081AAD81893340E7355A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07506E40 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49d2515a6260440b86c651b555b6ad065fc040d07fe1bf92d7b494ce7520969
Instruction ID: fdc7320c53e2432194f7607d13a577063d00b26d07f580f2d03d1956d80348f4
Opcode Fuzzy Hash: e49d2515a6260440b86c651b555b6ad065fc040d07fe1bf92d7b494ce7520969
Instruction Fuzzy Hash: 1AE08630410608DFC704EFA8D41599DBBB8FF06701F00429DD50457320EB319A54DB91

Uniqueness

Uniqueness Score: -1.00%

Function 074F7CB8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26bb773b9a6dd58a9dc4816a2f5353ea2819fcb0d92d49e749e5b1d17a5188f
Instruction ID: 03b37242598776412b1a97ed431e5a141c49c2019d54fe9af02cb8f64069fc0b
Opcode Fuzzy Hash: f26bb773b9a6dd58a9dc4816a2f5353ea2819fcb0d92d49e749e5b1d17a5188f
Instruction Fuzzy Hash: A4D05EB270425457C319516BA4086E77B8A9BC9231E18C06AE60A832818E659C4397D4

Uniqueness

Uniqueness Score: -1.00%

Function 07502672 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c2239a6d68d41106a623f7d5363688a1077abf174445bb211aa54276f27a00
Instruction ID: f54f5dfab768d62ad60b1b266f60b1f32fbae42c387dddfa7edf161afacb87ae
Opcode Fuzzy Hash: c7c2239a6d68d41106a623f7d5363688a1077abf174445bb211aa54276f27a00
Instruction Fuzzy Hash: 0DF04274D5162A8FCB65CF14D958AADBBB9FB48201F0051EAA41DA2281DB701F808F40

Uniqueness

Uniqueness Score: -1.00%

Function 0750A668 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347575f56be73a65222eb2d9df36a7b5e3ce51317376be9ec3c6c768e10c40c5
Instruction ID: 6ddc9a50ef43acd62814880e405a8d252e35b53f10b433fc7c65f95287157098
Opcode Fuzzy Hash: 347575f56be73a65222eb2d9df36a7b5e3ce51317376be9ec3c6c768e10c40c5
Instruction Fuzzy Hash: 9BE0CD79900150CFE700DF48E385BD577B5F754311F159025D0468B1D8CB38DC50CB81

Uniqueness

Uniqueness Score: -1.00%

Function 07506298 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c5453e43b064c36f3718db8bf50aa12bc33b28a46220c8bffeec222633bd53
Instruction ID: 0be67b2f3fe3ada3bb5464a211129c6bf6970c18a54803098178ab8f5b66c2f2
Opcode Fuzzy Hash: 49c5453e43b064c36f3718db8bf50aa12bc33b28a46220c8bffeec222633bd53
Instruction Fuzzy Hash: 4CE0EC70812608DFC715EFB4E81569DB779FB42201F5042AAD50426650EB719694D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 075077B1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83e3878d9296066f0b0a0226513903975d5151da7287c87937a50d823cfdc67
Instruction ID: f6f1bcc1c024c3df473c77d5323ebd445de408b6af8d1ebd6285a7487fc4bbca
Opcode Fuzzy Hash: e83e3878d9296066f0b0a0226513903975d5151da7287c87937a50d823cfdc67
Instruction Fuzzy Hash: 09E0C235080548AFEB10AF54C408FD47BE1FB98360F048062E5848B221D631A492C781

Uniqueness

Uniqueness Score: -1.00%

Function 07508608 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d8bb49d9ea3e4eb09da89110f628efbf1f0c8a8ccf9656873bfe47136c759b
Instruction ID: cefde0c68d9e5159e136cc9f47ed63ce371803a449c93fea3ae8257cb65d9f65
Opcode Fuzzy Hash: d5d8bb49d9ea3e4eb09da89110f628efbf1f0c8a8ccf9656873bfe47136c759b
Instruction Fuzzy Hash: 65E0C738900208DFC704EFA8E868A9EBBB8FF05301F2002E9D80427360C730AE40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 074F7328 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd9a63a2c7b8407019181957a0a988c80ad9079eeff371f4236251bcd7cd21c
Instruction ID: 9fe42d1fb5cdeef2cc4f121853b231377b969cb64d060c77209aeacab3f706c6
Opcode Fuzzy Hash: 2cd9a63a2c7b8407019181957a0a988c80ad9079eeff371f4236251bcd7cd21c
Instruction Fuzzy Hash: FED05E7090220CEBC718EFE4E5196AFBB79FB41305FA042EDC80423344DB325A85DB95

Uniqueness

Uniqueness Score: -1.00%

Function 075062D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d84fb2c3394ce82937111186f13e44f5d9b50a187ec2a5548179a5fc657289d
Instruction ID: 57a12a0dff3fc2b948a95b0b73123b4deb8814b2b69b92fc795cbb524ab9168d
Opcode Fuzzy Hash: 6d84fb2c3394ce82937111186f13e44f5d9b50a187ec2a5548179a5fc657289d
Instruction Fuzzy Hash: 52D0A7362441087FEA815B94D800FD67FADEB09604F504285FA444E252C172E473D790

Uniqueness

Uniqueness Score: -1.00%

Function 074FB2F3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f118a26b25f7b5e1830a8ce4aba5bf17beb0df1216bf35bd5194a338e5ebb2b0
Instruction ID: 8c6651d95220e2c441076de0f69b3728e143533f44c8386f87ccce95fd86acc1
Opcode Fuzzy Hash: f118a26b25f7b5e1830a8ce4aba5bf17beb0df1216bf35bd5194a338e5ebb2b0
Instruction Fuzzy Hash: 87D05E311662060AC744BB74EA963963B6AAB80618B84882090088E616DF64DC4CA381

Uniqueness

Uniqueness Score: -1.00%

Function 07508DCE Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a16afa91ef21e2c899f3d4121cce62f14a08c5593fa07de522cdc6272ce8c9d
Instruction ID: 9c674ea3d69a7485e414410f0530b17677761f3390a8111de0346936f5832662
Opcode Fuzzy Hash: 3a16afa91ef21e2c899f3d4121cce62f14a08c5593fa07de522cdc6272ce8c9d
Instruction Fuzzy Hash: 10E0EC74640245CFD704DF64C499EADB7F1BF49314F254498D401AB361CB35AD81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0750EF00 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee44bba3bde1158578db40c38daff3e06c8cd437e0adc6f22b81041c2910b02
Instruction ID: 8550cbfe5e136706975c6c46957c85f80576b25579023495e04a36cc6c9bdd4e
Opcode Fuzzy Hash: 1ee44bba3bde1158578db40c38daff3e06c8cd437e0adc6f22b81041c2910b02
Instruction Fuzzy Hash: 57C01232100119BB4A01AB85D800CC6BFADAF89654314C056E5088B121D622E9129BD1

Uniqueness

Uniqueness Score: -1.00%

Function 074F7CF8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b0ddbe28de2ca213166af50e8169f44debee793ab0b09422738c6404a0d9ce
Instruction ID: 3ea38b181bba5670acebeee310b956008a3fb1ab700c315483dfaccc4b76c235
Opcode Fuzzy Hash: 10b0ddbe28de2ca213166af50e8169f44debee793ab0b09422738c6404a0d9ce
Instruction Fuzzy Hash: 87B0122230893853080A329F74148EE72CD49C587460600AFEA0D8BF468E852D4103DF

Uniqueness

Uniqueness Score: -1.00%

Function 07507786 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144c02b5d5a338a333cf7c355e7a5301c65ae74ccbe853a50e5f654dad4293d5
Instruction ID: 68109afa8bfc4f400184e9d74c6516a346084c1504908036404e52f76636a0da
Opcode Fuzzy Hash: 144c02b5d5a338a333cf7c355e7a5301c65ae74ccbe853a50e5f654dad4293d5
Instruction Fuzzy Hash: 62C012364245095BD710BA74CC017CDB7B4AB51305F448126D04495514FA54B1959262

Uniqueness

Uniqueness Score: -1.00%

Function 075062E0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7edb3687110c29721df55d898498224e8928bc9eafcc69cc06f23fea6422ed5a
Instruction ID: c45290621c32cfcb54c58af4fe12db17b0eae8d52e3b6d9a846124b2623a869f
Opcode Fuzzy Hash: 7edb3687110c29721df55d898498224e8928bc9eafcc69cc06f23fea6422ed5a
Instruction Fuzzy Hash: DDC08C36341208BFEB80AFD4C800DA6BBADAB08700F509100FB080F252C272E863DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0750BCD0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5db4d0977cde3da63f7b4a29bd35e9496451431d0c2c31c1dc87b1942e9413
Instruction ID: 925b99f5f0dfa0215895f4d035d76992666ebcfcb9b89ebfa52ff0ed52cab5e4
Opcode Fuzzy Hash: af5db4d0977cde3da63f7b4a29bd35e9496451431d0c2c31c1dc87b1942e9413
Instruction Fuzzy Hash: 6CC08C76706302838A2C6A2448241EB2512BF4B2043801AAE4005C5390CA38E882C292

Uniqueness

Uniqueness Score: -1.00%

Function 075077C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2607fc39f1cd5f28a2c10af32de676bd92e73820400a404775b4131022be8eec
Instruction ID: 115590ed50afb758944c7c5456113d01006686c5a70aa352a3f6d96dece16535
Opcode Fuzzy Hash: 2607fc39f1cd5f28a2c10af32de676bd92e73820400a404775b4131022be8eec
Instruction Fuzzy Hash: F5C00235140108AFC700DF55D445D957BA9EB59661B1180A1F9484B732C632E951DA90

Uniqueness

Uniqueness Score: -1.00%

Function 0750CB38 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5af93f938d45a8c8c75519aa89b245e98736fad928cac97377826c0a219ea11
Instruction ID: 7df92ea0fb284714e324d49ebc714b23e44657096c8cf37ea5e3fc949f46cc50
Opcode Fuzzy Hash: a5af93f938d45a8c8c75519aa89b245e98736fad928cac97377826c0a219ea11
Instruction Fuzzy Hash: D4C09239140208EFC740DF5AD848C45BBA8EF1977074180A1FA098B732C732EC60DA94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B20540 Relevance: 2.8, Strings: 2, Instructions: 346COMMON

Download Yara Rule

Strings

XqC, xrefs: 02B207FE
XqC, xrefs: 02B207F7

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: XqC$XqC
API String ID: 0-1383123279
Opcode ID: 8a50d7db17dff7986e0bc7b3187a4c59c5ac8527e07eb4ca157d86bea95cff5f
Instruction ID: e6674a985ec6a7fce4d398451b2475dd191e58ba9f6cd4cc4e3f03fc3a898a3d
Opcode Fuzzy Hash: 8a50d7db17dff7986e0bc7b3187a4c59c5ac8527e07eb4ca157d86bea95cff5f
Instruction Fuzzy Hash: E9D1C271E053298FCF04EFB8C4806EEBBB2EF98354F148969D409A7354DB7499498FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B24220 Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

%J, xrefs: 02B2448C

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: %J
API String ID: 0-324193454
Opcode ID: 7921c5698b81c395072d231ff33989a44864ed7da11311327b22aa3a908417a7
Instruction ID: 9623bcdd3252550a548b9c9284e93e2847bf8813c3707bcee98e43472e60bef9
Opcode Fuzzy Hash: 7921c5698b81c395072d231ff33989a44864ed7da11311327b22aa3a908417a7
Instruction Fuzzy Hash: 02714574E1921ACB8B08CFA6D4415AEBBF2FF8D310F10946AD41AA7314E7349A46CF94

Uniqueness

Uniqueness Score: -1.00%

Function 051EE8F8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09068e3d399f10d55605be2c2e743d778b14d54d61378e1509a35823813a82b1
Instruction ID: c5a1ecb517ca7718f8775405175697ab57c147dd60c741c95e7ad5e76321260e
Opcode Fuzzy Hash: 09068e3d399f10d55605be2c2e743d778b14d54d61378e1509a35823813a82b1
Instruction Fuzzy Hash: DF12C8F1C937668AD330CF65E8A81C93B60B7453A9BD04A09D2759FAD0E7B8116ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 051EC5E4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30c81b8f4c99676459169a38a97f0c036ab505e7e254d06ba7b458e6788627e
Instruction ID: 7c971168e1a6c64dbca3258e8025516aa5cec5340d587d8534e453e7048fc147
Opcode Fuzzy Hash: f30c81b8f4c99676459169a38a97f0c036ab505e7e254d06ba7b458e6788627e
Instruction Fuzzy Hash: 85A18032E00609CFCF15DFA5D8445EEBBB2FF89304B15856AE805BB261EB71A955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 051EE8E8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.344139269.00000000051E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_51e0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601c3f9dafe78aace66ee059ed85daef665680b3472ba33fba0b3605a0c26a19
Instruction ID: a4a2d5e890e983cf0ba5e50a5f83eb98afd38a07a748665bf1ccdffb82c0a431
Opcode Fuzzy Hash: 601c3f9dafe78aace66ee059ed85daef665680b3472ba33fba0b3605a0c26a19
Instruction Fuzzy Hash: FDC11FF1C537668AD320DF65E8A41C97B71FB453A8F904A08D171AB6D0F7B8106ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 02B209D3 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b85a70bb49af2242500c52cce43dfa86fc7ea43ebfd1eedd8cdba0c1f3f8e07
Instruction ID: ef892e4274b1bebd9bfc36baad8f9ef89cd7e755270e37d335e985b79140813d
Opcode Fuzzy Hash: 0b85a70bb49af2242500c52cce43dfa86fc7ea43ebfd1eedd8cdba0c1f3f8e07
Instruction Fuzzy Hash: 6B515CB0D052699FCB04DF69C940A9EFBF2FB89304F24C5AAD408A7319D7309A45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B20A30 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6dba9a87dd800e84f9fa339d47dae6c83b0ff019564d6d27f56c1f08024dac
Instruction ID: dcdd73b1175d6f03e234ca7d52cdcf13497ca678d394ba4881ca235df397922a
Opcode Fuzzy Hash: 3b6dba9a87dd800e84f9fa339d47dae6c83b0ff019564d6d27f56c1f08024dac
Instruction Fuzzy Hash: 47513EB0D152698FCB14DF5AC940A9EFBF2FB89304F24C5AAD408A7319D7309A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B20A23 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564c74ace9a1ce903bb1920e2257ad3eb2ac0b5c1512e5a50e82e4a34e0b53f2
Instruction ID: 30913fb338b6d033564f56bea1dd5dd35099badfe4e5f69849bd3c4d4e28b791
Opcode Fuzzy Hash: 564c74ace9a1ce903bb1920e2257ad3eb2ac0b5c1512e5a50e82e4a34e0b53f2
Instruction Fuzzy Hash: BA515DB0D152698FCB04DF6AC940A9EFBF2FB89304F24C5AAD408A7359D7309A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07500006 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a613bd209c71c1569ce0776bbc114cbbc8a4ddd02716461f254951e5632b2d3
Instruction ID: 4e21357c7fdf8d45a5bdf32621e7924d9c7835792dd2d43dc4c5fb4dd3a31f7f
Opcode Fuzzy Hash: 8a613bd209c71c1569ce0776bbc114cbbc8a4ddd02716461f254951e5632b2d3
Instruction Fuzzy Hash: DB415EB1D05A548FE759CF6B9C5069AFBF3AFC5201F18C1FAC44CAA265EB3409458F11

Uniqueness

Uniqueness Score: -1.00%

Function 07500040 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.349599660.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7500000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a372e6dbb540625d2f8234c76c8e495380e2b8ec199b08018979338d15e12f
Instruction ID: 4e9a15d3320b139ccd140ab8660617bb9e5985529afb3165ebd9fc17a1e6c964
Opcode Fuzzy Hash: 08a372e6dbb540625d2f8234c76c8e495380e2b8ec199b08018979338d15e12f
Instruction Fuzzy Hash: D9413EB1E05A588FEB58CF6B9D4479AFAF7BFC9201F14C1BAC40CAA255EB3005858F51

Uniqueness

Uniqueness Score: -1.00%

Function 02B294C0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c885e7c8d3fcd75763a7864be54ed02abda6e8a749febca8f4abc58ee2012f3e
Instruction ID: f9f63e2286223fbc2776d983654a1fdaf9d3376e6f15e3fbe7a229c3fa8c756d
Opcode Fuzzy Hash: c885e7c8d3fcd75763a7864be54ed02abda6e8a749febca8f4abc58ee2012f3e
Instruction Fuzzy Hash: EA21EA70E0A7289BDB14CFA5D4547FDBAF9AF4D300F2450A9E41DB3252D7344548CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02B294B0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77517b47a227054959603daf441b16fb2662d96dd69d120cdac5315c1cb5773e
Instruction ID: d54bdbd882d0a209ce0562646bdb8754a81dd3a35176fd8b6c3adf91f537dd61
Opcode Fuzzy Hash: 77517b47a227054959603daf441b16fb2662d96dd69d120cdac5315c1cb5773e
Instruction Fuzzy Hash: 29212870E0A7289BDB14CFA5D4547FDBBB9AF4E200F2460AAE41DB7252D7344548CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B23948 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74331c40fe64b31fa288eaad37ccdeba101bd001842af7a63dba80ba85e54bc2
Instruction ID: c8f28bdc5e47d87d4ce6ce641bd0d17cb2b18b4366eef5dfa02fc58680cdf89f
Opcode Fuzzy Hash: 74331c40fe64b31fa288eaad37ccdeba101bd001842af7a63dba80ba85e54bc2
Instruction Fuzzy Hash: DE314E71E156299BDB18CF6AD8817AEFBF3FF88200F14C0AAD909A7254D7341A458F50

Uniqueness

Uniqueness Score: -1.00%

Function 02B23939 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.336820783.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2b20000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ca3a1016be08db6db9eff00944da657fd0055dce2cd857af458307a8ed184c
Instruction ID: b92b126514df789be82653c6dc53f3c759d3550cddc29b1433547defe56abaf2
Opcode Fuzzy Hash: 76ca3a1016be08db6db9eff00944da657fd0055dce2cd857af458307a8ed184c
Instruction Fuzzy Hash: DE318D70E153298BDB18CF6AD8816AEFBF3BFC9200F14C0BAD909A7255DB340A05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 074F2110 Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

@, xrefs: 074F21DE
@, xrefs: 074F2131
B, xrefs: 074F2136
B, xrefs: 074F21E3

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: @$@$B$B
API String ID: 0-685577651
Opcode ID: 26c7e3c843cc72e2a082977b8d35a7fe852d4ea7b975313927d1861aee7b7a9c
Instruction ID: 76690667f526d82ee921ff227ceba7878e7ef7eeaad03d8eb10fb9fbc3d517ee
Opcode Fuzzy Hash: 26c7e3c843cc72e2a082977b8d35a7fe852d4ea7b975313927d1861aee7b7a9c
Instruction Fuzzy Hash: 0941BFB1B005168FCB14DB78CD844AE77F2FF8A250B244667D219D77A0DB30AC46CB96

Uniqueness

Uniqueness Score: -1.00%

Function 074F2100 Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

@, xrefs: 074F21DE
@, xrefs: 074F2131
B, xrefs: 074F2136
B, xrefs: 074F21E3

Memory Dump Source

Source File: 00000001.00000002.349306592.00000000074F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_74f0000_REMITTANCE COPY.jbxd

Similarity

API ID:
String ID: @$@$B$B
API String ID: 0-685577651
Opcode ID: 881c03d8ff15da4f59fd5d327068d7ee42929fe69859c5d540ff5a8b5d0f2ff5
Instruction ID: de657d3799b952a3c3ad4a9c8d73c9e39abb2a5d940c9bb2d335053ac257b85b
Opcode Fuzzy Hash: 881c03d8ff15da4f59fd5d327068d7ee42929fe69859c5d540ff5a8b5d0f2ff5
Instruction Fuzzy Hash: 4D219CB1A00A168FCB24CF68CD848AFBBF5BF8A2107244567E215DB361C770D841CB96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 5924, Parent PID: 2820COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.6%
Total number of Nodes:	1264
Total number of Limit Nodes:	33

Executed Functions

Function 06896BF8 Relevance: 2.1, APIs: 1, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.444483238.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6890000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1474af8e5a62bb5bc4355c2b08a7d4650aba7d0780b7385716b1ace7b07d87da
Instruction ID: d098821c05cb2ea4d6c3aff5ff7d0e53ec906b7e1d7e2c9f53f0c1265af84943
Opcode Fuzzy Hash: 1474af8e5a62bb5bc4355c2b08a7d4650aba7d0780b7385716b1ace7b07d87da
Instruction Fuzzy Hash: 0922A230B112058FDB54DBB8D854BAEBBF2AF89304F188469E405EB395DB39DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059454C0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05945B5B

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 506785999c562507e551da6405cc89046947243b0e5d4f1978bf6a65e3c7647f
Instruction ID: 3c175fd7dd938b9bfc6fa673b331a3edc8d972a965d0e168f1c556263af0f498
Opcode Fuzzy Hash: 506785999c562507e551da6405cc89046947243b0e5d4f1978bf6a65e3c7647f
Instruction Fuzzy Hash: 40511470D102188FDB14CFA9C895BDDBBF5BF48314F158119E816AB350D778A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 068EE940 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 068EE9A0
GetCurrentThread.KERNEL32 ref: 068EE9DD
GetCurrentProcess.KERNEL32 ref: 068EEA1A
GetCurrentThreadId.KERNEL32 ref: 068EEA73

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 607eccee336ce37f8448999074b01077935b4f71ffa234f6d4bdacbb62eaed76
Instruction ID: fd905085960ef86d7de127585897a32970293bdcd42e0c2686deaded24eb967b
Opcode Fuzzy Hash: 607eccee336ce37f8448999074b01077935b4f71ffa234f6d4bdacbb62eaed76
Instruction Fuzzy Hash: 805154B09012488FDB50CFAAD988BEEBBF1FF49304F208459E559A7750C7746888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0689EE40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0689EF54

Strings

;, xrefs: 0689EE94

Memory Dump Source

Source File: 0000000A.00000002.444483238.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6890000_RegSvcs.jbxd

Similarity

API ID: Open
String ID: ;
API String ID: 71445658-1661535913
Opcode ID: 1ecca698ed2817d8bd35d3f5f6cb0e8b5561cda9a20151180e237d78a11b2e5e
Instruction ID: 4df28b392e7489d9c2f3b7fb5d261d348b803d24ae7dd30718f7c47a58ebd5d6
Opcode Fuzzy Hash: 1ecca698ed2817d8bd35d3f5f6cb0e8b5561cda9a20151180e237d78a11b2e5e
Instruction Fuzzy Hash: 5B414B70D013499FDB10CFA9C588A8EFFF5AF48308F19856AE448EB341C7759885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05947E50 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6381e3f6a9d953a04ffdd2e5b0bc2bd02257b9ccbbd64e005a916815de880a85
Instruction ID: b2f4d965e7a99e970439730eded5ae22c095fe5e9069c0f575f44ced072d2d07
Opcode Fuzzy Hash: 6381e3f6a9d953a04ffdd2e5b0bc2bd02257b9ccbbd64e005a916815de880a85
Instruction Fuzzy Hash: 8C12BC74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF399E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05947E71 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 400eaaf3f86126e24e7eba586a145ad91f93cc95990cb2cb4f1937446a79a821
Instruction ID: ca09facd51e3b284ec80ed92bed307fdc5b643e8d12b7246e5e6256e04fb0410
Opcode Fuzzy Hash: 400eaaf3f86126e24e7eba586a145ad91f93cc95990cb2cb4f1937446a79a821
Instruction Fuzzy Hash: 5812BB74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05947EB6 Relevance: 3.4, APIs: 2, Instructions: 354COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8fde0e1362060d84388916503a1ec9d93886570974dcca61c1621c4e3f062c76
Instruction ID: 0aaa9e285dc7a4d795c3a53780f48198f2b17c65bc0da7cd6079d053572221bf
Opcode Fuzzy Hash: 8fde0e1362060d84388916503a1ec9d93886570974dcca61c1621c4e3f062c76
Instruction Fuzzy Hash: 0702BC74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05947EFB Relevance: 3.3, APIs: 2, Instructions: 347COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ce78fca8f298678207cc75b823f87dee2e5654e1be0a06489770a9fa73c5aa5
Instruction ID: 9b14db38f4f1080679de38bdf342b3da2f2591eaa1fbc895a5bb38783fa2f7b7
Opcode Fuzzy Hash: 8ce78fca8f298678207cc75b823f87dee2e5654e1be0a06489770a9fa73c5aa5
Instruction Fuzzy Hash: 4902CC74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05947F40 Relevance: 3.3, APIs: 2, Instructions: 340COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fdfba136d1fa7774e1e56142bc3394ce95c40abc1997f698e85e13db8b66501e
Instruction ID: b49d554a8e23a690237fb195e6c4e3e59c860d6a18b0e90d8274039c27788536
Opcode Fuzzy Hash: fdfba136d1fa7774e1e56142bc3394ce95c40abc1997f698e85e13db8b66501e
Instruction Fuzzy Hash: 6C02BC74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05947F85 Relevance: 3.3, APIs: 2, Instructions: 333COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6feeb3486f004d5b6818c693b3cb512924eaafc1d5aebcb224e60435420b0d5b
Instruction ID: bfcb96e8cb8bbd2deaa1eb5570dc4b32a1ae29724953c9b7f54214fa87cd1e47
Opcode Fuzzy Hash: 6feeb3486f004d5b6818c693b3cb512924eaafc1d5aebcb224e60435420b0d5b
Instruction Fuzzy Hash: CB02BD74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05947FCA Relevance: 3.3, APIs: 2, Instructions: 326COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0e7efeac78dd79a2dc860c7dac201a837585b64dfeef7c31bd3789724a3462d4
Instruction ID: 6459cc33018739a1cce09c3abcf030b9554d52bb27b7b0a4c9360135b0261921
Opcode Fuzzy Hash: 0e7efeac78dd79a2dc860c7dac201a837585b64dfeef7c31bd3789724a3462d4
Instruction Fuzzy Hash: FE02CD74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359D81CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0594800F Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 29662d4a94871b6d5edd7ec62e738898e382967cce74878cc14251580bde8178
Instruction ID: 142db85aace0d189da65fbe820c308af7bd12b24d1865f5971c6dab9a218854c
Opcode Fuzzy Hash: 29662d4a94871b6d5edd7ec62e738898e382967cce74878cc14251580bde8178
Instruction Fuzzy Hash: 20F1CD74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359E81CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948054 Relevance: 3.3, APIs: 2, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 53feea4b4fb3be6301e23e25e28298fa1ab3e3d97af3ec486e3454cfe36aa4ca
Instruction ID: cbc41e4d274f1a8c766526e5bd3cd07a690d6f1e8be0e3a33e1ebc0eac583d04
Opcode Fuzzy Hash: 53feea4b4fb3be6301e23e25e28298fa1ab3e3d97af3ec486e3454cfe36aa4ca
Instruction Fuzzy Hash: 62F1BD74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF359D82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05948099 Relevance: 3.3, APIs: 2, Instructions: 303COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: caabef62b30db9c2f92dc42c6ec49a44cd1879934fd94f530b232972a97fc507
Instruction ID: 8c75f7910d11ca439ecb867432d3dd0d465f7beb6ede382eb67638b60f5ff3f3
Opcode Fuzzy Hash: caabef62b30db9c2f92dc42c6ec49a44cd1879934fd94f530b232972a97fc507
Instruction Fuzzy Hash: 64F1BD74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059480D5 Relevance: 3.3, APIs: 2, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d86a3491f5c1eeaa39c6d71273e51a4723b3ec744aa30e65260e57df25177913
Instruction ID: 155994e89bdaca0e86f33ab33bc4d2a8183228103e3b29a547ac8205a09b5510
Opcode Fuzzy Hash: d86a3491f5c1eeaa39c6d71273e51a4723b3ec744aa30e65260e57df25177913
Instruction Fuzzy Hash: 44F1BC74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF399E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0594811A Relevance: 3.3, APIs: 2, Instructions: 291COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1633342166fdd52ef3fe085c508ec92e5643b42f658faa21052fc668bc74f25b
Instruction ID: e7b9591ea81d19ee88a38a1f31a9bf717443c36432be900e7656cd9163ecb257
Opcode Fuzzy Hash: 1633342166fdd52ef3fe085c508ec92e5643b42f658faa21052fc668bc74f25b
Instruction Fuzzy Hash: AAE1BB74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF399E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0594815F Relevance: 3.3, APIs: 2, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 355c456649d48c3e5531ab50494f6f33203f0da2172cc02a49552d70ea2f0801
Instruction ID: fb4443ea66b9d16029503ff2856921bc08352676b5d4ad1783880ffe937dbe95
Opcode Fuzzy Hash: 355c456649d48c3e5531ab50494f6f33203f0da2172cc02a49552d70ea2f0801
Instruction Fuzzy Hash: 64E1BB74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF399E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 059481A4 Relevance: 3.3, APIs: 2, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0bd95d0f3b48d196c7533567f36a08158657e760ef51bbb11cd96a9f75904ce2
Instruction ID: 20712df8adbc7250e5a42840809d698df87b1b1132470f5c408aaa2676d7e62b
Opcode Fuzzy Hash: 0bd95d0f3b48d196c7533567f36a08158657e760ef51bbb11cd96a9f75904ce2
Instruction Fuzzy Hash: 24E1BB74906228CFCB65DF74D889A9DB7B2BF4538AF1045D9D50AA2350CF399E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 059481E9 Relevance: 3.3, APIs: 2, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8b088dba0ac732381231571d78f04f3b61f36f4c60ff3581cf808f4490a51b0f
Instruction ID: fdffb195137eb49c2545a12cf90823dfc7a4f9cb88dcf52cd91f7acb1d0eb9a7
Opcode Fuzzy Hash: 8b088dba0ac732381231571d78f04f3b61f36f4c60ff3581cf808f4490a51b0f
Instruction Fuzzy Hash: C2E1BB74906228CFCB65DF74D889A9DB7B2BF4938AF1045D9D50AA2350CF399E82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0594822E Relevance: 3.3, APIs: 2, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0801c2af64231d8b257afff2926dadd115f3e982403f18be60a7c0cc9edb9738
Instruction ID: 686be8c419bb46dea0fa299bce91b4eed7fbcd5666ac759a838b66ebc96d6497
Opcode Fuzzy Hash: 0801c2af64231d8b257afff2926dadd115f3e982403f18be60a7c0cc9edb9738
Instruction Fuzzy Hash: 6CD1C974906228CFCB65DF34D899A9DB7B2BF4538AF1045D9D50AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948273 Relevance: 3.3, APIs: 2, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 75d855245ee26a7e83a7e6507821a3d232eadcbbe439fb5e369c19d59481a92b
Instruction ID: 5bc8cfa620cab731568fc5e6cc9021f0fd375b07fbd2aa9db8475fa5d36d95fc
Opcode Fuzzy Hash: 75d855245ee26a7e83a7e6507821a3d232eadcbbe439fb5e369c19d59481a92b
Instruction Fuzzy Hash: FDD1B974906228CFCB65DF34D899A9DB7B2BF4538AF1045D9D50AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059482B8 Relevance: 3.2, APIs: 2, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bbaf3e20118e0b1ebcba20976ddb31a9b326a6b1597c277f07c908be9c299411
Instruction ID: 7b04d5dc8997674e2160fe22655282bf3d53d16ca29b35f74d70b5966e981357
Opcode Fuzzy Hash: bbaf3e20118e0b1ebcba20976ddb31a9b326a6b1597c277f07c908be9c299411
Instruction Fuzzy Hash: 4BD1B974906228CFCB65DF34D899A9DB7B2BF4538AF1045D9D50AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059482FD Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 16117d888908a145e93f66d383023ad59a340e1805120e76562512e9a5876999
Instruction ID: ac82b4ec7524b8f39f0cdad673ecb30aaf8f7db4a1b392dbe032546db3f70f00
Opcode Fuzzy Hash: 16117d888908a145e93f66d383023ad59a340e1805120e76562512e9a5876999
Instruction Fuzzy Hash: 75C1B974906228CFCB65DF34D899A9DB7B2BF4938AF1045D9D50AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948342 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d76d27e9bdd0d63b6c9741e7116b6fc67efa6445640c8e2c8f84888dd857a00c
Instruction ID: 7b643dfd3710356e223b7c066a97209702f054f1099f57156530413e1fd44a1f
Opcode Fuzzy Hash: d76d27e9bdd0d63b6c9741e7116b6fc67efa6445640c8e2c8f84888dd857a00c
Instruction Fuzzy Hash: 82C1B974906228CFCB65DF34D889A9DB7B2BF4538AF1045D9D50AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948387 Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ae424b9fece9e93efc72ca2b55eb23c58bd7a11f08858e20280d0dbc3b6f8d0f
Instruction ID: 27541aa24ba5ad557e20ac72341eeef99dcfda85455ea4f011860f10aaade611
Opcode Fuzzy Hash: ae424b9fece9e93efc72ca2b55eb23c58bd7a11f08858e20280d0dbc3b6f8d0f
Instruction Fuzzy Hash: DCC1CA74906228CFCB65DF34D889A9DB7B2BF4538AF1045D9D50AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059483CC Relevance: 3.2, APIs: 2, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059483E7
KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8e53ad55024bf1ba73eab5762499f9b41f86a76d511ebdb78069b835e379811
Instruction ID: 27f9aac1b3f0eb4e30e3f8865987f915e40219fcc1d2150aa26b446426b3facd
Opcode Fuzzy Hash: e8e53ad55024bf1ba73eab5762499f9b41f86a76d511ebdb78069b835e379811
Instruction Fuzzy Hash: EEB1DA74906228CFCB65DF34D889A9DB7B2BF4538AF1045D9D50AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 01890870 Relevance: 1.8, APIs: 1, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 01890B1E

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 666f9eef4e4ad0d42c3a63065893f99b65ea7efd0c077b19eecb16e3c24d4a1b
Instruction ID: 743f542e9c9fb2377b136fe0077403e5c6269f6413008b3fae6dd4595d217e73
Opcode Fuzzy Hash: 666f9eef4e4ad0d42c3a63065893f99b65ea7efd0c077b19eecb16e3c24d4a1b
Instruction Fuzzy Hash: F881BF71E002089FDF21DFADD88079DBBB8EF49324F24446AF509E7292D7349A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05948408 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 09119fe2847e7505102c6e2336b0a8f48cf3e2c8164358edc99c3ec3515de9dd
Instruction ID: 54c64f5d105b0fd1df920cab572c623cd11a2f3a62f42fbe0cd1048233447e96
Opcode Fuzzy Hash: 09119fe2847e7505102c6e2336b0a8f48cf3e2c8164358edc99c3ec3515de9dd
Instruction Fuzzy Hash: 92B1CA74906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D50AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0594844D Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9c8ac0c83e81e9cde4b91dc5245bebabb51a0e4bbe5ccb300afb7a097d4afcdd
Instruction ID: 74ec2fa87e64fdf13eb022d500c94ea5d196c92baf2c217fbf19427b12a08b96
Opcode Fuzzy Hash: 9c8ac0c83e81e9cde4b91dc5245bebabb51a0e4bbe5ccb300afb7a097d4afcdd
Instruction Fuzzy Hash: 09B1D974906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D50AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948489 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 04ac4abece2006321fab3fa3585fe5f35d4037c4ed861d9c67ee68621e967f70
Instruction ID: 3f62f0697dc741f1f1768517aba3bec71ec00fa43077a930be7b77dcad9d0ac3
Opcode Fuzzy Hash: 04ac4abece2006321fab3fa3585fe5f35d4037c4ed861d9c67ee68621e967f70
Instruction Fuzzy Hash: 81A1C874906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059484C5 Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a6c33d6921d518d4edb4716088ac028dc4e786467437e86d25775f36f77c684f
Instruction ID: 92108bcfb23f0db961c783297450a31f427e9b25e0d4ae449f20fe9640b3f8cb
Opcode Fuzzy Hash: a6c33d6921d518d4edb4716088ac028dc4e786467437e86d25775f36f77c684f
Instruction Fuzzy Hash: 31A1D974906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948501 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 02ec5d31947ae4c9a7c9048a1cd7a0387be1668db39a67afdfaaf7517e719106
Instruction ID: 089b47f2436ab9eb66be124c55981268d74e8a2629e130f227b27ecb4128eadf
Opcode Fuzzy Hash: 02ec5d31947ae4c9a7c9048a1cd7a0387be1668db39a67afdfaaf7517e719106
Instruction Fuzzy Hash: F4A1C874906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF399D82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948546 Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 13dfe18cf7e50de65df9a57c4565cc3cf91749abb185d30eb199be7ed86b398b
Instruction ID: 0d502a05a2d850660be68bc885ff10cb6b9670952e8e5fbb29eed4e83cf9fa95
Opcode Fuzzy Hash: 13dfe18cf7e50de65df9a57c4565cc3cf91749abb185d30eb199be7ed86b398b
Instruction Fuzzy Hash: E191C834906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF399D82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 068E0118 Relevance: 1.7, APIs: 1, Instructions: 173libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 068E01D7

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 42d14ed646dd7fc56bd62ce751e594963531456e94640c041d649141b55ca72f
Instruction ID: b4d019971d6413a9ec4394c654082695a321b5b9973c86ff9ed2dff34e1acc76
Opcode Fuzzy Hash: 42d14ed646dd7fc56bd62ce751e594963531456e94640c041d649141b55ca72f
Instruction Fuzzy Hash: CE51D430B002059FDB54EFB4D844AAE77F6AF8A304F14896AE406DB251DF78DD048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0594858B Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 596091f4e4806a63ec73f273b03baf18ca3867bd959680c97abe54d608211c7f
Instruction ID: aca936ea44c8a0441f498f968a5fb6b79e2b10be8ab49a1feabd8d3546ac0baf
Opcode Fuzzy Hash: 596091f4e4806a63ec73f273b03baf18ca3867bd959680c97abe54d608211c7f
Instruction Fuzzy Hash: FD91B874906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059485D3 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c9f16abb907c6ee442ef5fc14ecbe1dfdea02ee4f8f19bc8c7fd7e16a4b4390e
Instruction ID: 6d32ac548a077e120efc800facd9d914562ec7e8c78378c516aea19dda496638
Opcode Fuzzy Hash: c9f16abb907c6ee442ef5fc14ecbe1dfdea02ee4f8f19bc8c7fd7e16a4b4390e
Instruction Fuzzy Hash: 1981C934906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0594861B Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 04bbb30b5e572d0e0f51658db44d44d19afb1a54d714dfa92907ccc8ded67a0b
Instruction ID: f12547d794360ae932f28cdb1d0011758a88142adfa9a6535ec61a1135831898
Opcode Fuzzy Hash: 04bbb30b5e572d0e0f51658db44d44d19afb1a54d714dfa92907ccc8ded67a0b
Instruction Fuzzy Hash: 1D81B874906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948663 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: edd88c439ca202d5b5344cedf50bee7b3b07763dbaadab85aa7cbf6b37f9a339
Instruction ID: b9df1bb94ebdf3d50118161f6f9f0905741d46ddb4e3120e7be8282c51114fc9
Opcode Fuzzy Hash: edd88c439ca202d5b5344cedf50bee7b3b07763dbaadab85aa7cbf6b37f9a339
Instruction Fuzzy Hash: B971D834906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D50AA2350CF359E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 068E0178 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 068E01D7

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 929c3c22f445fb4d5498b81c349cbee91bc9974fdf777babba2f3a95493e1966
Instruction ID: 52773cebe61c932f8557d9e253e8bd75ef7852955d5b2a8d5b401c1a71d90375
Opcode Fuzzy Hash: 929c3c22f445fb4d5498b81c349cbee91bc9974fdf777babba2f3a95493e1966
Instruction Fuzzy Hash: D651C130B002059FCB54EFB4D884AAEB7B6BF99204F148929D506DB254EF38ED44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 059486AB Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e42dd2984101644cdb324b2b1d5baf4944234e9c3d5d76247307f2037fa9c45c
Instruction ID: 93286b2a2d5611d282da3621d9482dde5fec0f1c0d0f953222f71b3c1e62f3ea
Opcode Fuzzy Hash: e42dd2984101644cdb324b2b1d5baf4944234e9c3d5d76247307f2037fa9c45c
Instruction Fuzzy Hash: E871D834906228CFCB65DF34D889A9DB7B2BF4938AF1045D9D54AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 059486E7 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 08abaa1795c935d8e1ea3bc13b1142d2043bf81dd0af36a0c905802d720bea5c
Instruction ID: fb4ba6f8b4bb44d7740cfb41fe1803ba245a84bcc3ac03724f5fd8c420af097a
Opcode Fuzzy Hash: 08abaa1795c935d8e1ea3bc13b1142d2043bf81dd0af36a0c905802d720bea5c
Instruction Fuzzy Hash: 6F61C874902228CFCB65DF34D889A9DB7B2BF4538AF1045D9D54AA2350CF399E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 068EA3F0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667f06d9ba50063483cd05dff3003ecef05175e30d52ed1a26b547c9aa85a489
Instruction ID: 8cdf36a7eb1290b6a4caa258bbdd505bfb72b1661f0482d752137981d989d914
Opcode Fuzzy Hash: 667f06d9ba50063483cd05dff3003ecef05175e30d52ed1a26b547c9aa85a489
Instruction Fuzzy Hash: DD412472E003598FCB14DF69D8442EEBBF5AF8A214F04816AD408E7741DB389949CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 059457B4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05945B5B

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7f3814d922c3d1d3f2aefb33eaeffd4890893e94bc86688aa41174a769757560
Instruction ID: b7dde86beb7ce605c77c9956c8526600d0c7edd52e75ebc0be350ae06ee83ef0
Opcode Fuzzy Hash: 7f3814d922c3d1d3f2aefb33eaeffd4890893e94bc86688aa41174a769757560
Instruction Fuzzy Hash: CF510370D102188FDB14CFA9C895BDDBBF5BF48314F15812AE816AB350D778A844CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05945A14 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05945B5B

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: bbeceb991959d15a85e9edb2bfd54d5eff3a48fcc430a5a1e90b0d4610694e43
Instruction ID: 8b6df88be53bb8f7b37068d801e33951b0e809bd42b4a629f2641940a1848438
Opcode Fuzzy Hash: bbeceb991959d15a85e9edb2bfd54d5eff3a48fcc430a5a1e90b0d4610694e43
Instruction Fuzzy Hash: C851F271D102188FDB14CFA9C895BDDBBF5BF48314F15852AE816AB350D7789845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0594872F Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 02409a9dd1a080d36492b503c45232a621fb706c91f934dd616721c077241d86
Instruction ID: d7761eba8dad4c3b9d9f655b73c85bf15658fb27246aeaad44dabeda8d6b5637
Opcode Fuzzy Hash: 02409a9dd1a080d36492b503c45232a621fb706c91f934dd616721c077241d86
Instruction Fuzzy Hash: 5E61D774902228CFCB65DF74D889A9DB7B2BF4938AF1045D9D54AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 05948777 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6ccdc17f2cc6d5a00cd8bce58d1d352b793db8aafe06c292dc7c088e2dfb4d4c
Instruction ID: 20f831a06c9ec3dedf40ce20010ae05136848744ca08d64347e1eb123dfc6902
Opcode Fuzzy Hash: 6ccdc17f2cc6d5a00cd8bce58d1d352b793db8aafe06c292dc7c088e2dfb4d4c
Instruction Fuzzy Hash: CF51D674902228CFCB65DF34D889A9DB7B2BF4538AF1045D9D54AA2350CF399E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 059487BF Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d0d4a1dd03adfd22bc962e406369f190c504977358f57a7622cd89dcc9ba56cd
Instruction ID: 2591e0e71e237f406939394f24c565d5544a58c93de15b3f69b3f24b5395c61d
Opcode Fuzzy Hash: d0d4a1dd03adfd22bc962e406369f190c504977358f57a7622cd89dcc9ba56cd
Instruction Fuzzy Hash: 9D51D674902228CFCB65DF34D889A9DB7B2BF4538AF1045D9D54AA2350CF359E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0689F108 Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0689F211

Memory Dump Source

Source File: 0000000A.00000002.444483238.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6890000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c6523c0eafae3c7e99c0cede92a68636e48ebfc3800a057c22e4f48ec0690225
Instruction ID: e1191a64c3699967b21d46e789e86ccbe818f67296f380384804288062442797
Opcode Fuzzy Hash: c6523c0eafae3c7e99c0cede92a68636e48ebfc3800a057c22e4f48ec0690225
Instruction Fuzzy Hash: 254125B1E002589FCB14CFA9C884A9EBBF5FF48714F19806AE958EB314D7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05948807 Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fa2535cfb0262027616ac1224882629de512bedb75c9bf71ac8de810a79caee9
Instruction ID: a52ce6785598f3ff82d059de07415961c16a86195f2f31dc49dd848c79137345
Opcode Fuzzy Hash: fa2535cfb0262027616ac1224882629de512bedb75c9bf71ac8de810a79caee9
Instruction Fuzzy Hash: 3551E534A02228CFCB65DF34D889A9DB7B2BF4538AF1045D9D54AA2350CF359E82CF21

Uniqueness

Uniqueness Score: -1.00%

Function 0594884F Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2bccfec6ffaae8ba9111901ec2a07c3a421925ab442c0816c5441553c6437419
Instruction ID: 4c55360fb150c8e5c3eefa0ba632a5ef0dab4ead07fbdaebb35490ca258ae2de
Opcode Fuzzy Hash: 2bccfec6ffaae8ba9111901ec2a07c3a421925ab442c0816c5441553c6437419
Instruction Fuzzy Hash: 4251D534A02228CFCB65DF74D889A9DB7B2BF4538AF1045D9D54AA2350CF359E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0594888B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0b057aeeea2acf7a3044f42b4289d2eca2bcfc44ca93dd255b7ba08584187264
Instruction ID: b1c5bcf00eb6d844916af2eb3dda9ed492595b42478765435579936b9c93595d
Opcode Fuzzy Hash: 0b057aeeea2acf7a3044f42b4289d2eca2bcfc44ca93dd255b7ba08584187264
Instruction Fuzzy Hash: FB41D734A02228CFCB65DF74D889A9DB7B2BF4538AF1045D9D54AA2350CF359E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05947237 Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05947300

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4e3bacf3e7e6ed8bedf5aecf3973e2157c491ab9266759005d7cf23ef2455b61
Instruction ID: b07af6679212d928e865d45eb5e63fd30fa69b80a5ab6b72e4f049e64ac61038
Opcode Fuzzy Hash: 4e3bacf3e7e6ed8bedf5aecf3973e2157c491ab9266759005d7cf23ef2455b61
Instruction Fuzzy Hash: 77318E719042598FDB01CFA9C945BDEBBF4EF48354F04806AE848EB751D738A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0189A240 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0189D4C2

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 552044d305bf845d9e00f5d57047de680c5e50d09e9288fbf303fbca8d4f79e3
Instruction ID: 99a79af24924fc492c8c6f8d81bdc3d409668d7316a03e782e3fec07ce64f34d
Opcode Fuzzy Hash: 552044d305bf845d9e00f5d57047de680c5e50d09e9288fbf303fbca8d4f79e3
Instruction Fuzzy Hash: D23136B0D102498FDF14CFA9C8857DDBBB1EB08314F188629E855E7380D778A545CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0189D3ED Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 0189D4C2

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 74c268350cbc31a465924487acb3cae4ec0f8b87527f7a62db8023c0a908b015
Instruction ID: 98581ca2e7539eccd2efaf9a84aa116b11852a0eb5a547c3ec8ed56fe9b64cfa
Opcode Fuzzy Hash: 74c268350cbc31a465924487acb3cae4ec0f8b87527f7a62db8023c0a908b015
Instruction Fuzzy Hash: 883114B1D102498FDF14CFA8C8857DDBBB1AB08314F188629E815E7340D778A545CF95

Uniqueness

Uniqueness Score: -1.00%

Function 059488D3 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e7438886cf522d82a0fd8f484c4ca3f56e574b89f7a7fd7f8803882c3e8046d8
Instruction ID: 3ad106bb0cd9a1c9f92104a79b6adc3cd6668e5b0a8dbec6551fbc478a17c34c
Opcode Fuzzy Hash: e7438886cf522d82a0fd8f484c4ca3f56e574b89f7a7fd7f8803882c3e8046d8
Instruction Fuzzy Hash: 8D41E734A02228CFCB65DF74D889A9DB7B2BF4538AF1044D9D54AA2350CF359E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0689BA80 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 0689F211

Memory Dump Source

Source File: 0000000A.00000002.444483238.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6890000_RegSvcs.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 77643b7c5721ad852fb8e7a8bda22ab3a608b0fa20653927e5f0c5e38931d8d7
Instruction ID: 51037a7e680bf7d519a8f388cb96c1e6eb4833ad7ac432079d1596aa3fd7446e
Opcode Fuzzy Hash: 77643b7c5721ad852fb8e7a8bda22ab3a608b0fa20653927e5f0c5e38931d8d7
Instruction Fuzzy Hash: 8631E1B1D002589FCB14CFD9C984A8EBBF5BB48314F14802AE919EB310D7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 068EA56F Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EA442), ref: 068EA52F

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3846d32036f9d96008531ac5f42024b6561cf72298499cd62d991e14628cf781
Instruction ID: 5ec7e1682546b16f15605cc2ca0864c700569a37d34b3287f5ea93908dc71143
Opcode Fuzzy Hash: 3846d32036f9d96008531ac5f42024b6561cf72298499cd62d991e14628cf781
Instruction Fuzzy Hash: A921E7B4D01219DFCF64CFA9D8017EEBBB8AF0A714F10416AE948E7241D3385949CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0689BA74 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 0689EF54

Memory Dump Source

Source File: 0000000A.00000002.444483238.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6890000_RegSvcs.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c0c4fc4f5f06ce86476a2f948fdf95f1ee09cdfd6f706388f6fb5648beefdc51
Instruction ID: 2535d0b73a13fe7829cff012ebc49e95f2bafc45133108792e733ab12837463b
Opcode Fuzzy Hash: c0c4fc4f5f06ce86476a2f948fdf95f1ee09cdfd6f706388f6fb5648beefdc51
Instruction Fuzzy Hash: 3B31E7B1D01249DFDB10CF99C588A8EFFF5BF48314F18815AE509AB341C7B59989CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0594891B Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c13204350f25950a2714911528018356edc0a53cde1726dd11eafa1355a0c488
Instruction ID: 8ebad2e8bec73d7239a3b1ff2821967540537807990ae11008bf57472ee21645
Opcode Fuzzy Hash: c13204350f25950a2714911528018356edc0a53cde1726dd11eafa1355a0c488
Instruction Fuzzy Hash: C441F734A02228CFCB64DF64D889A9DB7B2BF4538AF1045D9D54AA2350CF359E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05948963 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f508e8ed6cd014ea3dc73008760221a93c4f84b9ef7df1659e92a6110fc989a0
Instruction ID: a851345e1a99a4632008d929fec50e068b7e6660301bca10314c5374b320133d
Opcode Fuzzy Hash: f508e8ed6cd014ea3dc73008760221a93c4f84b9ef7df1659e92a6110fc989a0
Instruction Fuzzy Hash: B731F874A02228CFCB65DF64D889A9DB7B2BF4538AF1044DAD54AA3350CF359E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 059489AB Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: baaff85e538dad536a44dd7d4fe60454d488d58ba6346abe12459e2716e4cf1c
Instruction ID: 2e90cb4dc51d36d2f9a8bbda08a2f02a68d0c621dc433adcf910c6c79230235f
Opcode Fuzzy Hash: baaff85e538dad536a44dd7d4fe60454d488d58ba6346abe12459e2716e4cf1c
Instruction Fuzzy Hash: F331E675A02228CFCB64DF74D889A9DB7B2BF45389F1044D9D54AA2350CF359E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 068EE51C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,068EEB2E,?,?,?,?,?), ref: 068EEBEF

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c87a31de04d7304eef356f876485fb5fa293189521aa2838cfc2a38e3f41fa71
Instruction ID: d454b554d9e99df404ed7b5a88d696f477200df0ac1698579188b44fde042750
Opcode Fuzzy Hash: c87a31de04d7304eef356f876485fb5fa293189521aa2838cfc2a38e3f41fa71
Instruction Fuzzy Hash: C921E4B5D003489FDB10CFA9D984AEEBBF8EB48324F14841AE955B3710D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068EEB61 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,068EEB2E,?,?,?,?,?), ref: 068EEBEF

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 61c65ef79adaab3e4ac4ccc2ca04d6e72ed3f6d17d9272067c3f2dd354def665
Instruction ID: f5c582f03d3a800636df41b81dd46e1df956be6c6df53f7c2b520f16c780a503
Opcode Fuzzy Hash: 61c65ef79adaab3e4ac4ccc2ca04d6e72ed3f6d17d9272067c3f2dd354def665
Instruction Fuzzy Hash: 0121FFB6D002499FDB10CFA9D984ADEBBF4FB48324F14851AE955A3710D378A958CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05945E1C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05947300

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ee8328e3b66ed4eb7c583cddc9a6770cf1cc25edb848bac740f16308799f4657
Instruction ID: f10beb992f85180471a5c15a71fd6309f950f2c158e2df2644f7cdf06ea45aa6
Opcode Fuzzy Hash: ee8328e3b66ed4eb7c583cddc9a6770cf1cc25edb848bac740f16308799f4657
Instruction Fuzzy Hash: 662135B1C0065A8BCB10CF9AD544BEEFBB4FB08324F04812AE819B7740D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 059489F3 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0d22b7cdaacdedea1aa06f1ebe7dbe470c648e27cf0f3e459433725d7ed5653f
Instruction ID: 6e3d916aa0bc43835905373518c5b930a12d931fc6261ca4e20a4297c3a656cc
Opcode Fuzzy Hash: 0d22b7cdaacdedea1aa06f1ebe7dbe470c648e27cf0f3e459433725d7ed5653f
Instruction Fuzzy Hash: C9212874A02228CFCB65EF24D889A9DB772BF8538AF1044D9D54AA2350CF349D82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 068EA4C0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EA442), ref: 068EA52F

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: adedeb6f00c9fa889b26ec24b828e7b8d8f767ef5b6b6051394eb13be2d16448
Instruction ID: 3f9f4428a507eee8f08aff342201a5542bf108cb55fbe2503eb6ebfb1d0c5303
Opcode Fuzzy Hash: adedeb6f00c9fa889b26ec24b828e7b8d8f767ef5b6b6051394eb13be2d16448
Instruction Fuzzy Hash: BA1106B1C002599FCB10CF9AD544BDEFBB8BB48224F14816AD818A7740D378A959CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0189550F Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0189559A

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 47868da884a4037db32d630d798117fa9e11c9819ff40921fa85a28aff225059
Instruction ID: ac34e6cb30487ced24f07e4847e7e78ed6fe41eb0b53af23dd393f3e43b7c860
Opcode Fuzzy Hash: 47868da884a4037db32d630d798117fa9e11c9819ff40921fa85a28aff225059
Instruction Fuzzy Hash: 6C2158B1D013458FDF51CFA8D98939ABBF8EB05318F18841AE415E7645D7386644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068E8E10 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EA442), ref: 068EA52F

Memory Dump Source

Source File: 0000000A.00000002.444595738.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_68e0000_RegSvcs.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 78baeafdf43c37ec057ac9bc5bf0a66b9ae5b6a7a49526318a311ab5a4f5df0a
Instruction ID: ffe7328cfe66a5b6d6573c14f4a9eaca0b5801a4a15a36827d6f65296c1c71b1
Opcode Fuzzy Hash: 78baeafdf43c37ec057ac9bc5bf0a66b9ae5b6a7a49526318a311ab5a4f5df0a
Instruction Fuzzy Hash: FF1103B2C006599FCB10CF9AC5447DEFBF4AB48624F14816AE818B7740D378A959CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 01895520 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0189559A

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: da7bde8dce36e4a7b7b27c50f40ff6ccb149286ece44dc1ef138e10a71b22b15
Instruction ID: 96cf592614633b244604444e3168d9659ce68e2352708723c9c2e78073c776b6
Opcode Fuzzy Hash: da7bde8dce36e4a7b7b27c50f40ff6ccb149286ece44dc1ef138e10a71b22b15
Instruction Fuzzy Hash: AE1197709013488FDF50CFA9D80979EBBF8EB48328F18802AE815E3641C739A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05948A2F Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bc788b1d2f1abfdd2712b44d882e9223c510b4ef57a53fb98977c2ef3affad92
Instruction ID: ad7b51a3589aa73cf6a567b516e86d0f30d3dbfeb216103ae9c063bb30c918a2
Opcode Fuzzy Hash: bc788b1d2f1abfdd2712b44d882e9223c510b4ef57a53fb98977c2ef3affad92
Instruction Fuzzy Hash: AC211874A02228CFCB64DF64D889A9DB7B2FF49349F1044DAD54AA3350CB349E82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01890AB0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 01890B1E

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: e5cec59a7bb0e5139e0d77210debfe390865c20b6ac753c841be1611e86788dd
Instruction ID: 19d217cc40eacf6688e4530e45767c53fc094bd77ce60168e309ac2748508e56
Opcode Fuzzy Hash: e5cec59a7bb0e5139e0d77210debfe390865c20b6ac753c841be1611e86788dd
Instruction Fuzzy Hash: 441102B29002499FCF10CF9AD984BDEBBF8EF48324F148419E559A7710C775A958CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05948A77 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05948A92

Memory Dump Source

Source File: 0000000A.00000002.442807816.0000000005940000.00000040.00000800.00020000.00000000.sdmp, Offset: 05940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5940000_RegSvcs.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 03938d77f61cf4e2cc61b2787968716a9ba0d7bbbbdd4c8d2a1a1f1a1d50a7da
Instruction ID: 0c78fbef434c0dcd00b6c5270e90c3d81a3cc6bce8d1297a03542b6addabf24a
Opcode Fuzzy Hash: 03938d77f61cf4e2cc61b2787968716a9ba0d7bbbbdd4c8d2a1a1f1a1d50a7da
Instruction Fuzzy Hash: E7114F74A02228CFCB65EF64D889A9DB771FF49349F1041DAD54A93350CB349D82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01890B68 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 01890BC7

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 520404d92a6007cfe5d91d1427366d7ebaf41234a3fda92861eacb697d7c2a6a
Instruction ID: 8cb2d66cbe7a275fd1776140c667b87bd0de89394ba555dbd6241b180228817b
Opcode Fuzzy Hash: 520404d92a6007cfe5d91d1427366d7ebaf41234a3fda92861eacb697d7c2a6a
Instruction Fuzzy Hash: C611E2B1800259CFDB10CF9AD884BDEFBF8EB48328F14845AD559A7750C7B5A948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01890B63 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 01890BC7

Memory Dump Source

Source File: 0000000A.00000002.427793348.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1890000_RegSvcs.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8263774d76d9732ebd2bc2a788840f6f2d286fb9af3b9f97b9fc7aec6e924e77
Instruction ID: 38f891a6339c66b68d30f550b9ab940b656f4e8845cdd3fd95996c501497ed49
Opcode Fuzzy Hash: 8263774d76d9732ebd2bc2a788840f6f2d286fb9af3b9f97b9fc7aec6e924e77
Instruction Fuzzy Hash: 7D1115B1901249CFDB10CF99D884BDEFBF4EB48314F14845AD558A7740C7B4A548CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017BD8F4 Relevance: 1.1, Instructions: 1112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.427471087.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b7eecb5427c58f537ffb5dda124bcdfd7146d93c2b2d514c4eb2d26306c2da
Instruction ID: 1d4e40facfc7d80345369e7fc0f2f98d63bbdb6bfd83833ce83273d995fcd7d1
Opcode Fuzzy Hash: f7b7eecb5427c58f537ffb5dda124bcdfd7146d93c2b2d514c4eb2d26306c2da
Instruction Fuzzy Hash: DE42F87244D7C18FD7538B7898A47D13FB0AF13229F1A06EBD484CA1A3D36D4A59CB22

Uniqueness

Uniqueness Score: -1.00%

Function 017BE120 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.427471087.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc52b85dcca0d08b24d320d5527cf2db6bfd068ba728f74d222fa46fe24a6624
Instruction ID: 7f6d205cd934df4a92b758310a2528966370dd3f0090a8f173249ca57a702369
Opcode Fuzzy Hash: bc52b85dcca0d08b24d320d5527cf2db6bfd068ba728f74d222fa46fe24a6624
Instruction Fuzzy Hash: E091497244D7C18FD7138B78A8A47D17FB1AF03229F1946EBC5858B1A3D36D491ACB22

Uniqueness

Uniqueness Score: -1.00%

Function 017BE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.427471087.00000000017BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_17bd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa8c1c500f41a02350dc3eb76bb9030b27d08485806f6eee220effb7bac42d6
Instruction ID: 75337ce6fab7681cfa2c27487919b9b8327cae993157e9c2d5f062b0ce5fb218
Opcode Fuzzy Hash: 1aa8c1c500f41a02350dc3eb76bb9030b27d08485806f6eee220effb7bac42d6
Instruction Fuzzy Hash: F7212575604240DFDB01CF24D9C0BD6FB61FB84324F24C9A9E9494B746CB3AD84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report REMITTANCE COPY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FSmZIJwnxoJulr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REMITTANCE COPY.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log

C:\Users\user\AppData\Local\Temp\tmp72FE.tmp

C:\Users\user\AppData\Local\Temp\tmp77E.tmp

C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
REMITTANCE COPY.exe

Function 02B264E0 Relevance: 3.1, APIs: 2, Instructions: 88
memoryinjectionCOMMON

Function 02B268DB Relevance: 2.8, Strings: 2, Instructions: 287
COMMON

Function 02B268E8 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre