Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REMITTANCE COPY.exe

Overview

General Information

Sample Name:REMITTANCE COPY.exe
Analysis ID:756282
MD5:e54ca4f235a6878e6c4913b4ddcba055
SHA1:b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
SHA256:6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • REMITTANCE COPY.exe (PID: 2820 cmdline: C:\Users\user\Desktop\REMITTANCE COPY.exe MD5: E54CA4F235A6878E6C4913B4DDCBA055)
    • schtasks.exe (PID: 5524 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5924 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • FSmZIJwnxoJulr.exe (PID: 3804 cmdline: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe MD5: E54CA4F235A6878E6C4913B4DDCBA055)
    • schtasks.exe (PID: 5020 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 2316 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 5856 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • yGbzOMp.exe (PID: 5256 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • yGbzOMp.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31d44:$a13: get_DnsResolver
      • 0x3043b:$a20: get_LastAccessed
      • 0x32772:$a27: set_InternalServerPort
      • 0x32aa7:$a30: set_GuidMasterKey
      • 0x3054d:$a33: get_Clipboard
      • 0x3055b:$a34: get_Keyboard
      • 0x31928:$a35: get_ShiftKeyDown
      • 0x31939:$a36: get_AltKeyDown
      • 0x30568:$a37: get_Password
      • 0x31083:$a38: get_PasswordHash
      • 0x321a6:$a39: get_DefaultCredentials
      00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            10.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              10.0.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x34a83:$s10: logins
              • 0x344fd:$s11: credential
              • 0x3074d:$g1: get_Clipboard
              • 0x3075b:$g2: get_Keyboard
              • 0x30768:$g3: get_Password
              • 0x31b18:$g4: get_CtrlKeyDown
              • 0x31b28:$g5: get_ShiftKeyDown
              • 0x31b39:$g6: get_AltKeyDown
              10.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x31f44:$a13: get_DnsResolver
              • 0x3063b:$a20: get_LastAccessed
              • 0x32972:$a27: set_InternalServerPort
              • 0x32ca7:$a30: set_GuidMasterKey
              • 0x3074d:$a33: get_Clipboard
              • 0x3075b:$a34: get_Keyboard
              • 0x31b28:$a35: get_ShiftKeyDown
              • 0x31b39:$a36: get_AltKeyDown
              • 0x30768:$a37: get_Password
              • 0x31283:$a38: get_PasswordHash
              • 0x323a6:$a39: get_DefaultCredentials
              1.2.REMITTANCE COPY.exe.3f453a0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 13 entries

                Sigma Signatures

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentImage: C:\Users\user\Desktop\REMITTANCE COPY.exe, ParentProcessId: 2820, ParentProcessName: REMITTANCE COPY.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp, ProcessId: 5524, ProcessName: schtasks.exe

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: REMITTANCE COPY.exeReversingLabs: Detection: 21%
                Source: REMITTANCE COPY.exeVirustotal: Detection: 49%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeReversingLabs: Detection: 21%
                Machine Learning detection for sample
                Source: REMITTANCE COPY.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeJoe Sandbox ML: detected
                Source: 10.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 10.0.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}
                Source: REMITTANCE COPY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: REMITTANCE COPY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
                Source: Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
                Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                Source: global trafficTCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587
                Source: global trafficTCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587
                Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000013.00000002.565816116.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566299272.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://BUBAorlAmTfYEKM.org
                Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://JXqRNJ.com
                Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: RegSvcs.exe, 0000000A.00000003.404386589.00000000067EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571422388.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: REMITTANCE COPY.exe, 00000001.00000003.288469959.0000000005DBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com8
                Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.orogenicgroup-bd.com
                Source: RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571466727.0000000005F56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: REMITTANCE COPY.exe, 00000001.00000003.303771050.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303959941.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303624192.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303913362.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303859975.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303721912.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303668105.0000000005DD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.agfamonotype.E
                Source: REMITTANCE COPY.exe, 00000001.00000003.291989862.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: REMITTANCE COPY.exe, 00000001.00000003.293125528.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com4
                Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comK
                Source: REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comOp8
                Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTyp
                Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.come-d
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comll
                Source: REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn
                Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                Source: REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.O
                Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comorm
                Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comr
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.336773384.00000000014B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: REMITTANCE COPY.exe, 00000001.00000003.304551334.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298354512.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298303175.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: REMITTANCE COPY.exe, 00000001.00000003.299382446.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers9
                Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersHr
                Source: REMITTANCE COPY.exe, 00000001.00000003.304433086.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersVr
                Source: REMITTANCE COPY.exe, 00000001.00000003.297651784.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersur
                Source: REMITTANCE COPY.exe, 00000001.00000003.288206696.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288094280.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288042735.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comW
                Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cna-e8
                Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnava
                Source: REMITTANCE COPY.exe, 00000001.00000003.291721850.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.291634809.0000000005D84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
                Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnft
                Source: REMITTANCE COPY.exe, 00000001.00000003.291102483.0000000005D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cniUI
                Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnorm
                Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnormX
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/i-
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.335473766.0000000005D8F000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300945403.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.302829024.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.301785961.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346313308.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.305138593.0000000005D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: REMITTANCE COPY.exe, 00000001.00000003.296476214.0000000005D8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com8
                Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comp
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnX
                Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cncro
                Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: mail.orogenicgroup-bd.com

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 10.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.csLarge array initialization: .cctor: array initializer size 10971
                Source: REMITTANCE COPY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B22B98
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B22788
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B22F40
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B248E0
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B268E8
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B28468
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B20040
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B245B0
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B26AD2
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B20A30
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B20A23
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B24220
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B24211
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B22B88
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B22F30
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B22778
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B248D0
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B268DB
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B20006
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B2459F
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B209D3
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B23939
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B20540
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B23948
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_051EC5E4
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_051EE8F8
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_051EE8E8
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_074F5F48
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_074F0560
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_074FB570
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_074F5F37
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_07500040
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_07500006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189F780
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0189FAC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0594C518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_05940548
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_05942638
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0594D278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_06894E28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0689E770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0689A4C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068985B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_06890040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0689D518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0689D578
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068973D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068E0D58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068E5950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068EA7D1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068E6089
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068E6188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 05946F60 appears 52 times
                Source: REMITTANCE COPY.exe, 00000001.00000002.350779687.0000000007860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exe, 00000001.00000000.283146986.0000000000A02000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exe, 00000001.00000002.342389295.0000000003FC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
                Source: REMITTANCE COPY.exeBinary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                Source: REMITTANCE COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: FSmZIJwnxoJulr.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: REMITTANCE COPY.exeReversingLabs: Detection: 21%
                Source: REMITTANCE COPY.exeVirustotal: Detection: 49%
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile read: C:\Users\user\Desktop\REMITTANCE COPY.exeJump to behavior
                Source: REMITTANCE COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\REMITTANCE COPY.exe C:\Users\user\Desktop\REMITTANCE COPY.exe
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeJump to behavior
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp72FE.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/9@2/1
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: RegSvcs.exe, 0000000A.00000002.434916098.0000000003682000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.565780443.0000000002B4F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: REMITTANCE COPY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMutant created: \Sessions\1\BaseNamedObjects\DuSwhYmlPmBH
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csCryptographic APIs: 'CreateDecryptor'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csCryptographic APIs: 'CreateDecryptor'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csCryptographic APIs: 'CreateDecryptor'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csCryptographic APIs: 'CreateDecryptor'
                Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: REMITTANCE COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: REMITTANCE COPY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: REMITTANCE COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
                Source: Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
                Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B23754 pushfd ; ret
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B28CFB push eax; retf
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_02B28CF8 pushad ; retf
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_051EB879 pushfd ; iretd
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeCode function: 1_2_07503616 push ebx; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0594F488 push esp; retf
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_06890040 push es; iretd
                Source: initial sampleStatic PE information: section name: .text entropy: 7.462745784487049
                Source: initial sampleStatic PE information: section name: .text entropy: 7.462745784487049
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csHigh entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.csHigh entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csHigh entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.csHigh entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csHigh entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.csHigh entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeFile created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMpJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exe TID: 1004Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe TID: 4668Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 4776Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5604Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9841
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99843
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99625
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99513
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99406
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99296
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99161
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99036
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98726
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98617
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98311
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98202
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98091
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97983
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97855
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97729
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97495
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97389
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97280
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97171
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97048
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96850
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96623
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96515
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96406
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96294
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96171
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96062
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95952
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95843
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95733
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95624
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95514
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95406
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95295
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95029
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94917
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94389
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94261
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93694
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93557
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93426
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99718
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99600
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99484
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99374
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99265
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99137
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98888
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98745
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98624
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98515
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98398
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98280
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98171
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98062
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97953
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97843
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97625
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97515
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97406
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97296
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97077
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96421
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96312
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96202
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96093
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95856
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95624
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95499
                Source: RegSvcs.exe, 00000013.00000002.570894397.0000000005EE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess token adjusted: Debug
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_06896BF8 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11DB008
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7C0008
                .NET source code references suspicious native API functions
                Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csReference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
                Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csReference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
                Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.csReference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
                Source: 10.0.RegSvcs.exe.400000.0.unpack, A/C1.csReference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
                Source: 10.0.RegSvcs.exe.400000.0.unpack, A/e2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Users\user\Desktop\REMITTANCE COPY.exe VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeQueries volume information: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\REMITTANCE COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_059454C0 GetUserNameW,

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		211
                Process Injection                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                Account Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Native API                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		11
                Deobfuscate/Decode Files or Information                		1
                Credentials in Registry                		1
                File and Directory Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts1
                Scheduled Task/Job                		Logon Script (Windows)1
                Registry Run Keys / Startup Folder                		4
                Obfuscated Files or Information                		Security Account Manager114
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
                Software Packing                		NTDS311
                Security Software Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Process Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common131
                Virtualization/Sandbox Evasion                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items211
                Process Injection                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                Hidden Files and Directories                		Proc Filesystem1
                System Owner/User Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                Remote System Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 756282 Sample: REMITTANCE COPY.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 9 other signatures 2->54 7 REMITTANCE COPY.exe 6 2->7         started        11 FSmZIJwnxoJulr.exe 5 2->11         started        13 yGbzOMp.exe 2 2->13         started        15 yGbzOMp.exe 1 2->15         started        process3 file4 40 C:\Users\user\AppData\...\FSmZIJwnxoJulr.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp72FE.tmp, XML 7->42 dropped 44 C:\Users\user\...\REMITTANCE COPY.exe.log, ASCII 7->44 dropped 70 Writes to foreign memory regions 7->70 72 Injects a PE file into a foreign processes 7->72 17 RegSvcs.exe 2 5 7->17         started        22 schtasks.exe 1 7->22         started        74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 24 RegSvcs.exe 11->24         started        26 schtasks.exe 1 11->26         started        28 RegSvcs.exe 11->28         started        30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        signatures5 process6 dnsIp7 46 mail.orogenicgroup-bd.com 119.148.27.3, 49702, 49706, 587 AGNI-ASAgniSystemsLimitedBD Bangladesh 17->46 38 C:\Users\user\AppData\Roaming\...\yGbzOMp.exe, PE32 17->38 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->58 60 Tries to steal Mail credentials (via file / registry access) 17->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->62 34 conhost.exe 22->34         started        64 Tries to harvest and steal ftp login credentials 24->64 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->68 36 conhost.exe 26->36         started        file8 signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                REMITTANCE COPY.exe22%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                REMITTANCE COPY.exe49%VirustotalBrowse
                REMITTANCE COPY.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe22%ReversingLabsByteCode-MSIL.Infostealer.DarkStealer
                C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                10.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.carterandcone.comn-u0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.sajatypeworks.com80%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.carterandcone.com40%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.founder.com.cn/cnorm0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.founder.com.cn/cnf0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.carterandcone.comK0%URL Reputationsafe
                https://sectigo.com/CPS00%URL Reputationsafe
                http://microsoft.co0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.carterandcone.comr0%URL Reputationsafe
                http://www.fonts.comW0%URL Reputationsafe
                http://www.carterandcone.comn0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.carterandcone.comorm0%URL Reputationsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.zhongyicts.com.cnX0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.zhongyicts.com.cno.0%URL Reputationsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.zhongyicts.com.cncro0%Avira URL Cloudsafe
                http://www.carterandcone.como.O0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnava0%Avira URL Cloudsafe
                http://www.founder.com.cn/cniUI0%Avira URL Cloudsafe
                http://www.sajatypeworks.comp0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/i-0%Avira URL Cloudsafe
                http://BUBAorlAmTfYEKM.org0%Avira URL Cloudsafe
                http://mail.orogenicgroup-bd.com0%Avira URL Cloudsafe
                http://www.carterandcone.comll0%Avira URL Cloudsafe
                http://www.carterandcone.come-d0%Avira URL Cloudsafe
                http://www.agfamonotype.E0%Avira URL Cloudsafe
                http://www.founder.com.cn/cna-e80%Avira URL Cloudsafe
                http://fontfabrik.com80%Avira URL Cloudsafe
                http://www.founder.com.cn/cnormX0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnft0%Avira URL Cloudsafe
                http://www.carterandcone.comOp80%Avira URL Cloudsafe
                http://www.carterandcone.comTyp0%Avira URL Cloudsafe
                http://JXqRNJ.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.orogenicgroup-bd.com
                		119.148.27.3
                		truefalse
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.fontbureau.com/designersGREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.zhongyicts.com.cncroREMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comn-uREMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sajatypeworks.com8REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.comREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersREMITTANCE COPY.exe, 00000001.00000003.304551334.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.carterandcone.com4REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comREMITTANCE COPY.exe, 00000001.00000003.293125528.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnormREMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comREMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.335473766.0000000005D8F000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300945403.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.302829024.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.301785961.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346313308.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.305138593.0000000005D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cniUIREMITTANCE COPY.exe, 00000001.00000003.291102483.0000000005D91000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersVrREMITTANCE COPY.exe, 00000001.00000003.304433086.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fonts.comREMITTANCE COPY.exe, 00000001.00000003.288206696.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288094280.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288042735.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sandoll.co.krREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnREMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameREMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnfREMITTANCE COPY.exe, 00000001.00000003.291721850.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.291634809.0000000005D84000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnavaREMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comKREMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0REMITTANCE COPY.exe, 00000001.00000003.291989862.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.carterandcone.como.OREMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.336773384.00000000014B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sajatypeworks.compREMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersHrREMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/i-REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://sectigo.com/CPS0RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://microsoft.coRegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571466727.0000000005F56000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://mail.orogenicgroup-bd.comRegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://BUBAorlAmTfYEKM.orgRegSvcs.exe, 00000013.00000002.565816116.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566299272.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comrREMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comllREMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fonts.comWREMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comnREMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.come-dREMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.carterandcone.comlREMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.agfamonotype.EREMITTANCE COPY.exe, 00000001.00000003.303771050.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303959941.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303624192.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303913362.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303859975.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303721912.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303668105.0000000005DD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnREMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlREMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cna-e8REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fontfabrik.com8REMITTANCE COPY.exe, 00000001.00000003.288469959.0000000005DBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comormREMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.monotype.REMITTANCE COPY.exe, 00000001.00000003.296476214.0000000005D8B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnXREMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnormXREMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnftREMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comTypREMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://JXqRNJ.comRegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers9REMITTANCE COPY.exe, 00000001.00000003.299382446.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designersurREMITTANCE COPY.exe, 00000001.00000003.297651784.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cno.REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298354512.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298303175.0000000005DBB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers:REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.carterandcone.comOp8REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  119.148.27.3
                                                  		mail.orogenicgroup-bd.comBangladesh
                                                  		23923AGNI-ASAgniSystemsLimitedBDfalse

                                                  General Information

                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                  Analysis ID:756282
                                                  Start date and time:2022-11-29 23:18:09 +01:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 8m 54s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:REMITTANCE COPY.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:23
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@18/9@2/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:Failed
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  23:19:13API Interceptor1x Sleep call for process: REMITTANCE COPY.exe modified
                                                  23:19:21Task SchedulerRun new task: FSmZIJwnxoJulr path: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
                                                  23:19:26AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                                  23:19:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                                  23:19:42API Interceptor357x Sleep call for process: RegSvcs.exe modified
                                                  23:19:47API Interceptor1x Sleep call for process: FSmZIJwnxoJulr.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FSmZIJwnxoJulr.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REMITTANCE COPY.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):142
                                                  Entropy (8bit):5.090621108356562
                                                  Encrypted:false
                                                  SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                  MD5:8C0458BB9EA02D50565175E38D577E35
                                                  SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                  SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                  SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                  C:\Users\user\AppData\Local\Temp\tmp72FE.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1651
                                                  Entropy (8bit):5.1775098793092065
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3p
                                                  MD5:269DCA092DD3F101BB67595918569AE5
                                                  SHA1:C073FBB9C93034493E7D4F04F5FE1D070E71DD8C
                                                  SHA-256:F2A7823946D9CC784D77659910E2DE48D2FF088AD0DE9FFD935C3EC2A43CEC27
                                                  SHA-512:008E43586B89EF3D717CD3394B3D39B5CD2F42BF9CE9E35E9CDB67269C6F2C3D14D0DA8E61763CE7362BB162EB517681A17578C4D3C0C50749AD4085C00AFD33
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                  C:\Users\user\AppData\Local\Temp\tmp77E.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1651
                                                  Entropy (8bit):5.1775098793092065
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3p
                                                  MD5:269DCA092DD3F101BB67595918569AE5
                                                  SHA1:C073FBB9C93034493E7D4F04F5FE1D070E71DD8C
                                                  SHA-256:F2A7823946D9CC784D77659910E2DE48D2FF088AD0DE9FFD935C3EC2A43CEC27
                                                  SHA-512:008E43586B89EF3D717CD3394B3D39B5CD2F42BF9CE9E35E9CDB67269C6F2C3D14D0DA8E61763CE7362BB162EB517681A17578C4D3C0C50749AD4085C00AFD33
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                                  C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):866816
                                                  Entropy (8bit):7.470326450965344
                                                  Encrypted:false
                                                  SSDEEP:12288:5RfBQNcgqo2Fr5cE8LHWt/SEdRMA/LyVu6gtY1OaQ3vf8aCmlSVB8Xbc20/HIPPB:r+qopvLC9/L1t+xQFCmQPxHInQ
                                                  MD5:E54CA4F235A6878E6C4913B4DDCBA055
                                                  SHA1:B91CE873B8A93B46EBAC12B5D1E62F3A1A9DD27F
                                                  SHA-256:6ACFD9EA1B88077926A542FD286DA3119B626792F71B09927CA252236245D43A
                                                  SHA-512:989091A3525EA3E57554530DAB20D934E146CAADB4B67A01B612F132758CB5B040529063B3D0EAA3ABD782B04B6C11B7EA51A53330160B3CB75BC313201D49DA
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 22%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P......T........... ... ....@.. ....................................@.....................................K.... .. P........................................................................... ............... ..H............text...4.... ...................... ..`.rsrc... P... ...R..................@..@.reloc...............8..............@..B........................H...........................C..........................................Z(....8.....(....8....*.&~.......*...~....*.b(....8......(....8.....*...&~.......*...~....*..0..y.......8........E....=...88...(....8....s.........8....*s.........8....s.........8....s.........8....s......... .....9....&8........0...........~....o......8......*8....8......0...........~....o......8......*8....8......0...........~....o......8....8....8......*..0..$.......8......*8....8.....~....o......8....

                                                  C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe

                                                  Download File
                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):45152
                                                  Entropy (8bit):6.149629800481177
                                                  Encrypted:false
                                                  SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                  MD5:2867A3817C9245F7CF518524DFD18F28
                                                  SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                  SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                  SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                  \Device\ConDrv

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1141
                                                  Entropy (8bit):4.44831826838854
                                                  Encrypted:false
                                                  SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                  MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                  SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                  SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                  SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                  Malicious:false
                                                  Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.470326450965344
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:REMITTANCE COPY.exe
                                                  File size:866816
                                                  MD5:e54ca4f235a6878e6c4913b4ddcba055
                                                  SHA1:b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
                                                  SHA256:6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
                                                  SHA512:989091a3525ea3e57554530dab20d934e146caadb4b67a01b612f132758cb5b040529063b3d0eaa3abd782b04b6c11b7ea51a53330160b3cb75bc313201d49da
                                                  SSDEEP:12288:5RfBQNcgqo2Fr5cE8LHWt/SEdRMA/LyVu6gtY1OaQ3vf8aCmlSVB8Xbc20/HIPPB:r+qopvLC9/L1t+xQFCmQPxHInQ
                                                  TLSH:CB058D5673728863F58F01358495318C6EBCA583A6E6F2076B773A8056027FFFA9CE11
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P......T........... ... ....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:4e3e72cace7e9e67

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4d032e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x63858DB4 [Tue Nov 29 04:42:28 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd02e00x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x5020.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd02970x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xce3340xce400False0.7656486742424242data7.462745784487049IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xd20000x50200x5200False0.9108231707317073data7.661816841344986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xd80000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0xd21300x49b2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                  RT_GROUP_ICON0xd6ae40x14data
                                                  RT_VERSION0xd6af80x33cdata
                                                  RT_MANIFEST0xd6e340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 23:19:44.276021957 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:44.587918043 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:44.588063955 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:48.028115988 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:48.028467894 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:48.340773106 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:48.341048002 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:48.654963970 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:48.714406967 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:48.905726910 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:49.226938963 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:49.226977110 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:49.226994991 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:49.227008104 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:49.227170944 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:49.228629112 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:49.401873112 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:49.570498943 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:49.882066965 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:50.011343956 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:50.270930052 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:50.582626104 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:50.584830999 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:50.897109032 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:51.011531115 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:51.817368984 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:52.167968988 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:52.174232960 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:52.486279011 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:52.486763954 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:52.806159973 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:52.806565046 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:53.117810011 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:53.119280100 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:53.119713068 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:53.120037079 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:53.120125055 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:19:53.431646109 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:53.431699991 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:53.431736946 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:53.431775093 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:53.628751040 CET58749702119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:19:53.714818001 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:12.958915949 CET49702587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:30.887084961 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:31.192751884 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:31.192878962 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:31.505937099 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:31.508374929 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:31.814308882 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:31.814596891 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:32.122059107 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.141771078 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:32.462547064 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.462631941 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.462693930 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.462743998 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.462865114 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:32.462865114 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:32.465277910 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.482307911 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:32.788265944 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:32.843096972 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:32.866729021 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:33.172338009 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:33.172903061 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:33.478811026 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:33.479494095 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:33.824166059 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:33.862101078 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:33.862700939 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:34.168560028 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:34.168592930 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:34.169233084 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:34.484185934 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:34.484831095 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:34.791023016 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:34.792371035 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:34.792440891 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:34.792514086 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:34.792606115 CET49706587192.168.2.5119.148.27.3
                                                  Nov 29, 2022 23:20:35.098450899 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:35.098514080 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:35.098743916 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:35.206922054 CET58749706119.148.27.3192.168.2.5
                                                  Nov 29, 2022 23:20:35.249504089 CET49706587192.168.2.5119.148.27.3

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 29, 2022 23:19:44.056919098 CET6064953192.168.2.58.8.8.8
                                                  Nov 29, 2022 23:19:44.226650953 CET53606498.8.8.8192.168.2.5
                                                  Nov 29, 2022 23:20:30.696413040 CET6145253192.168.2.58.8.8.8
                                                  Nov 29, 2022 23:20:30.867413998 CET53614528.8.8.8192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Nov 29, 2022 23:19:44.056919098 CET192.168.2.58.8.8.80x4265Standard query (0)mail.orogenicgroup-bd.comA (IP address)IN (0x0001)false
                                                  Nov 29, 2022 23:20:30.696413040 CET192.168.2.58.8.8.80xa6f0Standard query (0)mail.orogenicgroup-bd.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Nov 29, 2022 23:19:44.226650953 CET8.8.8.8192.168.2.50x4265No error (0)mail.orogenicgroup-bd.com119.148.27.3A (IP address)IN (0x0001)false
                                                  Nov 29, 2022 23:20:30.867413998 CET8.8.8.8192.168.2.50xa6f0No error (0)mail.orogenicgroup-bd.com119.148.27.3A (IP address)IN (0x0001)false

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Nov 29, 2022 23:19:48.028115988 CET58749702119.148.27.3192.168.2.5220-panel2.agni.com ESMTP Exim 4.95 #2 Wed, 30 Nov 2022 04:19:47 +0600
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 23:19:48.028467894 CET49702587192.168.2.5119.148.27.3EHLO 618321
                                                  Nov 29, 2022 23:19:48.340773106 CET58749702119.148.27.3192.168.2.5250-panel2.agni.com Hello 618321 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 23:19:48.341048002 CET49702587192.168.2.5119.148.27.3STARTTLS
                                                  Nov 29, 2022 23:19:48.654963970 CET58749702119.148.27.3192.168.2.5220 TLS go ahead
                                                  Nov 29, 2022 23:20:31.505937099 CET58749706119.148.27.3192.168.2.5220-panel2.agni.com ESMTP Exim 4.95 #2 Wed, 30 Nov 2022 04:20:31 +0600
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Nov 29, 2022 23:20:31.508374929 CET49706587192.168.2.5119.148.27.3EHLO 618321
                                                  Nov 29, 2022 23:20:31.814308882 CET58749706119.148.27.3192.168.2.5250-panel2.agni.com Hello 618321 [102.129.143.49]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-STARTTLS
                                                  250 HELP
                                                  Nov 29, 2022 23:20:31.814596891 CET49706587192.168.2.5119.148.27.3STARTTLS
                                                  Nov 29, 2022 23:20:32.122059107 CET58749706119.148.27.3192.168.2.5220 TLS go ahead

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:1
                                                  Start time:23:18:56
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\REMITTANCE COPY.exe
                                                  Imagebase:0x930000
                                                  File size:866816 bytes
                                                  MD5 hash:E54CA4F235A6878E6C4913B4DDCBA055
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low

                                                  General

                                                  Target ID:8
                                                  Start time:23:19:19
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
                                                  Imagebase:0x9c0000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:9
                                                  Start time:23:19:19
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:10
                                                  Start time:23:19:19
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xee0000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high

                                                  General

                                                  Target ID:11
                                                  Start time:23:19:21
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
                                                  Imagebase:0x650000
                                                  File size:866816 bytes
                                                  MD5 hash:E54CA4F235A6878E6C4913B4DDCBA055
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 22%, ReversingLabs
                                                  Reputation:low

                                                  General

                                                  Target ID:12
                                                  Start time:23:19:35
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                                                  Imagebase:0xed0000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Antivirus matches:
                                                  • Detection: 0%, ReversingLabs
                                                  Reputation:high

                                                  General

                                                  Target ID:13
                                                  Start time:23:19:35
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:14
                                                  Start time:23:19:43
                                                  Start date:29/11/2022
                                                  Path:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                                                  Imagebase:0x430000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:high

                                                  General

                                                  Target ID:15
                                                  Start time:23:19:43
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:16
                                                  Start time:23:19:58
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
                                                  Imagebase:0x7ff7c8a30000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:17
                                                  Start time:23:19:58
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7fcd70000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:18
                                                  Start time:23:19:58
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:{path}
                                                  Imagebase:0x3f0000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language

                                                  General

                                                  Target ID:19
                                                  Start time:23:19:59
                                                  Start date:29/11/2022
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x500000
                                                  File size:45152 bytes
                                                  MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                  Disassembly

                                                  No disassembly