Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Remittance Receipt.exe

Overview

General Information

Sample name:Remittance Receipt.exe
Analysis ID:1543469
MD5:db9a323fde82eac0d972eec0acde0209
SHA1:88ead16576193df0d647c722d70b79f50300e852
SHA256:e93171125e897ba3a556f1b0171629d2a9aaa3298510f97b5d7cda44b9c3c313
Tags:AgentTeslaexeuser-susugenjot
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Remittance Receipt.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\Remittance Receipt.exe" MD5: DB9A323FDE82EAC0D972EEC0ACDE0209)
    • powershell.exe (PID: 7460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Remittance Receipt.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\Remittance Receipt.exe" MD5: DB9A323FDE82EAC0D972EEC0ACDE0209)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@bondamit.shop", "Password": "payment1759"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.Remittance Receipt.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.Remittance Receipt.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.Remittance Receipt.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33495:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33507:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33591:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33623:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3368d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x336ff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33795:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33825:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Remittance Receipt.exe.4c38430.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Remittance Receipt.exe.4c38430.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Remittance Receipt.exe", ParentImage: C:\Users\user\Desktop\Remittance Receipt.exe, ParentProcessId: 7252, ParentProcessName: Remittance Receipt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", ProcessId: 7460, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Remittance Receipt.exe", ParentImage: C:\Users\user\Desktop\Remittance Receipt.exe, ParentProcessId: 7252, ParentProcessName: Remittance Receipt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", ProcessId: 7460, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Remittance Receipt.exe, Initiated: true, ProcessId: 7468, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Remittance Receipt.exe", ParentImage: C:\Users\user\Desktop\Remittance Receipt.exe, ParentProcessId: 7252, ParentProcessName: Remittance Receipt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe", ProcessId: 7460, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 3.2.Remittance Receipt.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@bondamit.shop", "Password": "payment1759"}
                    Multi AV Scanner detection for submitted file
                    Source: Remittance Receipt.exeReversingLabs: Detection: 64%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Remittance Receipt.exeJoe Sandbox ML: detected
                    Source: Remittance Receipt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: Remittance Receipt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: JAlv.pdbSHA256 source: Remittance Receipt.exe
                    Source: Binary string: JAlv.pdb source: Remittance Receipt.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 66.29.159.53:587
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 66.29.159.53 66.29.159.53
                    Source: Joe Sandbox ViewASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 66.29.159.53:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.privateemail.com
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2937793253.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: Remittance Receipt.exe, 00000003.00000002.2937793253.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2937793253.0000000000BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: Remittance Receipt.exe, 00000000.00000002.1707885261.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.privateemail.com
                    Source: Remittance Receipt.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Remittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Remittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, R1W.cs.Net Code: Niu4iGJUscW

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.Remittance Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Remittance Receipt.exe
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A2CA8 NtQueryInformationProcess,0_2_079A2CA8
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A2CA0 NtQueryInformationProcess,0_2_079A2CA0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_015FD3040_2_015FD304
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_0721F4080_2_0721F408
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_0721CCD80_2_0721CCD8
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_0721A1580_2_0721A158
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_072199F00_2_072199F0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_072165780_2_07216578
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_072163100_2_07216310
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_0721F3F80_2_0721F3F8
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A34040_2_079A3404
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A50200_2_079A5020
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A00400_2_079A0040
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A25780_2_079A2578
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AC4F00_2_079AC4F0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AC4E10_2_079AC4E1
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AE4180_2_079AE418
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AE4090_2_079AE409
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A52B00_2_079A52B0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A52A20_2_079A52A2
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A20B80_2_079A20B8
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AC0B80_2_079AC0B8
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A50120_2_079A5012
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A00060_2_079A0006
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A2E280_2_079A2E28
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079ABC800_2_079ABC80
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A1C800_2_079A1C80
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079A1C700_2_079A1C70
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AB8220_2_079AB822
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_079AB8480_2_079AB848
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 0_2_0F701B600_2_0F701B60
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DAE2D03_2_00DAE2D0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DAA9683_2_00DAA968
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DA4AA03_2_00DA4AA0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DA3E883_2_00DA3E88
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DA41D03_2_00DA41D0
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DAB76F3_2_00DAB76F
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_065566783_2_06556678
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_06557E083_2_06557E08
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_065556303_2_06555630
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_065524203_2_06552420
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_0655C2203_2_0655C220
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_0655B2C83_2_0655B2C8
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_065577283_2_06557728
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_0655E4483_2_0655E448
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_06555D783_2_06555D78
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_065500063_2_06550006
                    Source: Remittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Remittance Receipt.exe
                    Source: Remittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs Remittance Receipt.exe
                    Source: Remittance Receipt.exe, 00000000.00000002.1706846848.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Remittance Receipt.exe
                    Source: Remittance Receipt.exe, 00000000.00000002.1707885261.000000000330A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs Remittance Receipt.exe
                    Source: Remittance Receipt.exe, 00000000.00000002.1716544151.000000000C020000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Remittance Receipt.exe
                    Source: Remittance Receipt.exe, 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebb26f961-fadf-4425-9082-cde080536011.exe4 vs Remittance Receipt.exe
                    Source: Remittance Receipt.exe, 00000003.00000002.2937042879.0000000000939000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Remittance Receipt.exe
                    Source: Remittance Receipt.exeBinary or memory string: OriginalFilenameJAlv.exe> vs Remittance Receipt.exe
                    Source: Remittance Receipt.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3.2.Remittance Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Remittance Receipt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, mvQ1eYlRRr6cG91YYT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, wF8wPweGFdnjAJoAS6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, wF8wPweGFdnjAJoAS6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, wF8wPweGFdnjAJoAS6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, wF8wPweGFdnjAJoAS6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, wF8wPweGFdnjAJoAS6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, wF8wPweGFdnjAJoAS6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance Receipt.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esxcg2rg.0v0.ps1Jump to behavior
                    Source: Remittance Receipt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Remittance Receipt.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Remittance Receipt.exeReversingLabs: Detection: 64%
                    Source: unknownProcess created: C:\Users\user\Desktop\Remittance Receipt.exe "C:\Users\user\Desktop\Remittance Receipt.exe"
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe"
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Users\user\Desktop\Remittance Receipt.exe "C:\Users\user\Desktop\Remittance Receipt.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Users\user\Desktop\Remittance Receipt.exe "C:\Users\user\Desktop\Remittance Receipt.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Remittance Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Remittance Receipt.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Remittance Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: JAlv.pdbSHA256 source: Remittance Receipt.exe
                    Source: Binary string: JAlv.pdb source: Remittance Receipt.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Remittance Receipt.exe, formMain.cs.Net Code: InitializeComponent
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, mvQ1eYlRRr6cG91YYT.cs.Net Code: R0WqVSB9jp System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, mvQ1eYlRRr6cG91YYT.cs.Net Code: R0WqVSB9jp System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, mvQ1eYlRRr6cG91YYT.cs.Net Code: R0WqVSB9jp System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Remittance Receipt.exe.7970000.4.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Remittance Receipt.exe.40c0b90.3.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: Remittance Receipt.exeStatic PE information: 0xBF845F71 [Mon Oct 26 22:17:21 2071 UTC]
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DAA255 push esp; retf 00E7h3_2_00DAA6C1
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeCode function: 3_2_00DA0C6D push edi; retf 3_2_00DA0C7A
                    Source: Remittance Receipt.exeStatic PE information: section name: .text entropy: 7.9413447657152325
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, uUyLT6rWraNTNR9Bes.csHigh entropy of concatenated method names: 'LtuCIuW0JN', 'geoCvjJrsq', 'VLvCeJuX7b', 'yIqCrXQ71d', 'WasC4hA7K4', 'AwtCGUC9mn', 'U2UCYIPmJc', 'CmUCtRGWAl', 'lhYCJOnUY8', 'YmXCF1O0BM'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, Viq15SsIit3NiZkjhA.csHigh entropy of concatenated method names: 'a4QTSg4ow6', 'XbgTCbbOGt', 'f8YTQObd7k', 'sKaQRNthbm', 'bMuQzXfved', 'FHsTh9mvQd', 'oZNTd0RTq5', 'IdBTxFKjei', 'iIiTZ3RFER', 'ECvTqgIwvh'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, wIqJrOdZ56y6xyPWuhx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TlaFDRNEvD', 'NHgFOh5ABY', 'wUtFggtgyB', 'SKxFacX3ZJ', 'rGTFbnVjoj', 'zIHF5XMkpO', 'ScDFM6GALZ'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, eOaMVbaLTkyQmyHWEB.csHigh entropy of concatenated method names: 'a7QY7NBboI', 'mDnY94mrZ8', 'ToString', 'A7DYSQQ37k', 'HsdYfoUb6s', 'IyEYC1Qvud', 'FY5Y3VWUnr', 'BrZYQjY6y5', 'Mw3YTa6NRH', 'J6mYlARBLU'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, uo6sWEdhOuZxlT37aDM.csHigh entropy of concatenated method names: 'UIZJpG8Ft1', 'GApJyg03P4', 'YufJVZC1i0', 'P6cJI40Vhb', 'MHtJ0imdj9', 'GnLJvMtZmE', 'k0FJKSdfW5', 'mMPJeeyNdX', 'FKjJrR4FMk', 'aLeJ1ffIdo'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, wF8wPweGFdnjAJoAS6.csHigh entropy of concatenated method names: 'fqnfDnuKDN', 'tW2fOTJ3eK', 'IUifgi6QXE', 'q8TfaJoC5K', 'Ml2fbnKfYV', 'pd1f5Hfm0F', 'RrafMvUWIr', 'CBPfNJbKXS', 'hLFfWviTQq', 'lNefRXNfc9'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, tyFMtN2g9fpQOpTUBO.csHigh entropy of concatenated method names: 'QHITpfisfY', 'O8DTys9vtK', 'guCTVMGNC4', 'DsTTIfu05E', 'Q4BT0SDPM6', 'VFhTvPcDx1', 'XIJTKTJIvY', 'GbNTeA7lUA', 'C9yTrPqm64', 'yhfT1EZqFx'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, mvQ1eYlRRr6cG91YYT.csHigh entropy of concatenated method names: 'rDPZEgAVG8', 'TU7ZSIidYq', 'MFmZfSwwAw', 'tBvZCX2HG1', 'gnQZ3VwQto', 'hjhZQfV7mU', 'IaQZTE7FCN', 'yklZlSktqT', 'TxSZATNepT', 'KdTZ7kIQig'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, hluDHtjT4EfvxDCuWZ.csHigh entropy of concatenated method names: 'iGNQE1g2pQ', 'w7MQfrl4Tk', 'YWiQ38iRwA', 'aytQT6DLQg', 'XSYQl1uqD1', 'r0a3bpZldC', 'YsK354ixGi', 'Ppe3MtnjaB', 'PN63NKydRF', 'RP33WiM6sR'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, YySA4CRAfZopcXJlUS.csHigh entropy of concatenated method names: 'yapJdUPGJe', 'pVXJZ8Td9a', 'mwmJqlJppf', 'umLJSDvXxr', 'OM3Jfqkdsp', 'hsFJ3Hy4o7', 'yclJQiulkk', 'GoxtMo8HxC', 'B13tNG86ta', 'nRltWRxmYA'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, BIropUwKGWAP0KsEjt.csHigh entropy of concatenated method names: 'Sy5neDPs0Q', 'R7Pnrho2Xr', 'dfxnjubFqk', 'DKUnicVoUJ', 'Ap7n6weswt', 'BEDnBPbkbl', 'Tk7nsBAkr5', 'n5VnUaPVif', 'pu0nuhnQjw', 'b6InXtQpVK'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, uSAGG0NJjPyxhOyBIw.csHigh entropy of concatenated method names: 'DLwtShvCx1', 'AY8tf7sWHg', 'fdEtC293gF', 'PJqt3pRraO', 'KHqtQfyY5V', 'xlZtTVqaqn', 'it3tlF3oDs', 'y7CtA1deBf', 'Pptt7sngiA', 'Rg9t9QVuUc'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, hTp9K4fUflI2NTAFdZ.csHigh entropy of concatenated method names: 'Dispose', 'A14dWf93Ys', 'o9rxifJRPL', 'e5WGGCFm5A', 'CHSdRAGG0J', 'GPydzxhOyB', 'ProcessDialogKey', 'zwQxhRCHjl', 'tSyxdmtEmh', 'nLuxxRySA4'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, DUANteqPTww7e4XBnT.csHigh entropy of concatenated method names: 'AJkdTF8wPw', 'pFddlnjAJo', 'IWrd7aNTNR', 'mBed9sckfV', 'dbXd4Bp3lu', 'RHtdGT4Efv', 'GntuQpT6w9u1i9Xht9', 'lltGtmLfGaW8oTFwkM', 'EwVddjTwK2', 'YEKdZOOyVL'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, OnYsWAgpGSVkWwb4h1.csHigh entropy of concatenated method names: 'ToString', 'LIIGXrbReS', 'BDTGicQcrj', 'fGoGoRyavJ', 'SCjG6Ph8t1', 'JRdGBO5Saq', 'Os9G8IgnLk', 'EgvGss6OYs', 'dsuGUZuDDN', 'vZXG2J018B'
                    Source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, yBjtk8xgpnq3MBFwn4.csHigh entropy of concatenated method names: 'hybViWf0V', 'aHZIrJ3lO', 'GiSvbpDOl', 'edGKqxg2F', 'DaxriVfbi', 'm2l12dgiq', 'n37nINcbRy2PjSNYwe', 'CLqNoogrCtScT2e7Cf', 'w3pGP4UDg42ZZ6aXDV', 'gjgttsp5L'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, uUyLT6rWraNTNR9Bes.csHigh entropy of concatenated method names: 'LtuCIuW0JN', 'geoCvjJrsq', 'VLvCeJuX7b', 'yIqCrXQ71d', 'WasC4hA7K4', 'AwtCGUC9mn', 'U2UCYIPmJc', 'CmUCtRGWAl', 'lhYCJOnUY8', 'YmXCF1O0BM'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, Viq15SsIit3NiZkjhA.csHigh entropy of concatenated method names: 'a4QTSg4ow6', 'XbgTCbbOGt', 'f8YTQObd7k', 'sKaQRNthbm', 'bMuQzXfved', 'FHsTh9mvQd', 'oZNTd0RTq5', 'IdBTxFKjei', 'iIiTZ3RFER', 'ECvTqgIwvh'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, wIqJrOdZ56y6xyPWuhx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TlaFDRNEvD', 'NHgFOh5ABY', 'wUtFggtgyB', 'SKxFacX3ZJ', 'rGTFbnVjoj', 'zIHF5XMkpO', 'ScDFM6GALZ'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, eOaMVbaLTkyQmyHWEB.csHigh entropy of concatenated method names: 'a7QY7NBboI', 'mDnY94mrZ8', 'ToString', 'A7DYSQQ37k', 'HsdYfoUb6s', 'IyEYC1Qvud', 'FY5Y3VWUnr', 'BrZYQjY6y5', 'Mw3YTa6NRH', 'J6mYlARBLU'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, uo6sWEdhOuZxlT37aDM.csHigh entropy of concatenated method names: 'UIZJpG8Ft1', 'GApJyg03P4', 'YufJVZC1i0', 'P6cJI40Vhb', 'MHtJ0imdj9', 'GnLJvMtZmE', 'k0FJKSdfW5', 'mMPJeeyNdX', 'FKjJrR4FMk', 'aLeJ1ffIdo'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, wF8wPweGFdnjAJoAS6.csHigh entropy of concatenated method names: 'fqnfDnuKDN', 'tW2fOTJ3eK', 'IUifgi6QXE', 'q8TfaJoC5K', 'Ml2fbnKfYV', 'pd1f5Hfm0F', 'RrafMvUWIr', 'CBPfNJbKXS', 'hLFfWviTQq', 'lNefRXNfc9'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, tyFMtN2g9fpQOpTUBO.csHigh entropy of concatenated method names: 'QHITpfisfY', 'O8DTys9vtK', 'guCTVMGNC4', 'DsTTIfu05E', 'Q4BT0SDPM6', 'VFhTvPcDx1', 'XIJTKTJIvY', 'GbNTeA7lUA', 'C9yTrPqm64', 'yhfT1EZqFx'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, mvQ1eYlRRr6cG91YYT.csHigh entropy of concatenated method names: 'rDPZEgAVG8', 'TU7ZSIidYq', 'MFmZfSwwAw', 'tBvZCX2HG1', 'gnQZ3VwQto', 'hjhZQfV7mU', 'IaQZTE7FCN', 'yklZlSktqT', 'TxSZATNepT', 'KdTZ7kIQig'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, hluDHtjT4EfvxDCuWZ.csHigh entropy of concatenated method names: 'iGNQE1g2pQ', 'w7MQfrl4Tk', 'YWiQ38iRwA', 'aytQT6DLQg', 'XSYQl1uqD1', 'r0a3bpZldC', 'YsK354ixGi', 'Ppe3MtnjaB', 'PN63NKydRF', 'RP33WiM6sR'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, YySA4CRAfZopcXJlUS.csHigh entropy of concatenated method names: 'yapJdUPGJe', 'pVXJZ8Td9a', 'mwmJqlJppf', 'umLJSDvXxr', 'OM3Jfqkdsp', 'hsFJ3Hy4o7', 'yclJQiulkk', 'GoxtMo8HxC', 'B13tNG86ta', 'nRltWRxmYA'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, BIropUwKGWAP0KsEjt.csHigh entropy of concatenated method names: 'Sy5neDPs0Q', 'R7Pnrho2Xr', 'dfxnjubFqk', 'DKUnicVoUJ', 'Ap7n6weswt', 'BEDnBPbkbl', 'Tk7nsBAkr5', 'n5VnUaPVif', 'pu0nuhnQjw', 'b6InXtQpVK'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, uSAGG0NJjPyxhOyBIw.csHigh entropy of concatenated method names: 'DLwtShvCx1', 'AY8tf7sWHg', 'fdEtC293gF', 'PJqt3pRraO', 'KHqtQfyY5V', 'xlZtTVqaqn', 'it3tlF3oDs', 'y7CtA1deBf', 'Pptt7sngiA', 'Rg9t9QVuUc'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, hTp9K4fUflI2NTAFdZ.csHigh entropy of concatenated method names: 'Dispose', 'A14dWf93Ys', 'o9rxifJRPL', 'e5WGGCFm5A', 'CHSdRAGG0J', 'GPydzxhOyB', 'ProcessDialogKey', 'zwQxhRCHjl', 'tSyxdmtEmh', 'nLuxxRySA4'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, DUANteqPTww7e4XBnT.csHigh entropy of concatenated method names: 'AJkdTF8wPw', 'pFddlnjAJo', 'IWrd7aNTNR', 'mBed9sckfV', 'dbXd4Bp3lu', 'RHtdGT4Efv', 'GntuQpT6w9u1i9Xht9', 'lltGtmLfGaW8oTFwkM', 'EwVddjTwK2', 'YEKdZOOyVL'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, OnYsWAgpGSVkWwb4h1.csHigh entropy of concatenated method names: 'ToString', 'LIIGXrbReS', 'BDTGicQcrj', 'fGoGoRyavJ', 'SCjG6Ph8t1', 'JRdGBO5Saq', 'Os9G8IgnLk', 'EgvGss6OYs', 'dsuGUZuDDN', 'vZXG2J018B'
                    Source: 0.2.Remittance Receipt.exe.c020000.5.raw.unpack, yBjtk8xgpnq3MBFwn4.csHigh entropy of concatenated method names: 'hybViWf0V', 'aHZIrJ3lO', 'GiSvbpDOl', 'edGKqxg2F', 'DaxriVfbi', 'm2l12dgiq', 'n37nINcbRy2PjSNYwe', 'CLqNoogrCtScT2e7Cf', 'w3pGP4UDg42ZZ6aXDV', 'gjgttsp5L'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, uUyLT6rWraNTNR9Bes.csHigh entropy of concatenated method names: 'LtuCIuW0JN', 'geoCvjJrsq', 'VLvCeJuX7b', 'yIqCrXQ71d', 'WasC4hA7K4', 'AwtCGUC9mn', 'U2UCYIPmJc', 'CmUCtRGWAl', 'lhYCJOnUY8', 'YmXCF1O0BM'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, Viq15SsIit3NiZkjhA.csHigh entropy of concatenated method names: 'a4QTSg4ow6', 'XbgTCbbOGt', 'f8YTQObd7k', 'sKaQRNthbm', 'bMuQzXfved', 'FHsTh9mvQd', 'oZNTd0RTq5', 'IdBTxFKjei', 'iIiTZ3RFER', 'ECvTqgIwvh'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, wIqJrOdZ56y6xyPWuhx.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TlaFDRNEvD', 'NHgFOh5ABY', 'wUtFggtgyB', 'SKxFacX3ZJ', 'rGTFbnVjoj', 'zIHF5XMkpO', 'ScDFM6GALZ'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, eOaMVbaLTkyQmyHWEB.csHigh entropy of concatenated method names: 'a7QY7NBboI', 'mDnY94mrZ8', 'ToString', 'A7DYSQQ37k', 'HsdYfoUb6s', 'IyEYC1Qvud', 'FY5Y3VWUnr', 'BrZYQjY6y5', 'Mw3YTa6NRH', 'J6mYlARBLU'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, uo6sWEdhOuZxlT37aDM.csHigh entropy of concatenated method names: 'UIZJpG8Ft1', 'GApJyg03P4', 'YufJVZC1i0', 'P6cJI40Vhb', 'MHtJ0imdj9', 'GnLJvMtZmE', 'k0FJKSdfW5', 'mMPJeeyNdX', 'FKjJrR4FMk', 'aLeJ1ffIdo'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, wF8wPweGFdnjAJoAS6.csHigh entropy of concatenated method names: 'fqnfDnuKDN', 'tW2fOTJ3eK', 'IUifgi6QXE', 'q8TfaJoC5K', 'Ml2fbnKfYV', 'pd1f5Hfm0F', 'RrafMvUWIr', 'CBPfNJbKXS', 'hLFfWviTQq', 'lNefRXNfc9'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, tyFMtN2g9fpQOpTUBO.csHigh entropy of concatenated method names: 'QHITpfisfY', 'O8DTys9vtK', 'guCTVMGNC4', 'DsTTIfu05E', 'Q4BT0SDPM6', 'VFhTvPcDx1', 'XIJTKTJIvY', 'GbNTeA7lUA', 'C9yTrPqm64', 'yhfT1EZqFx'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, mvQ1eYlRRr6cG91YYT.csHigh entropy of concatenated method names: 'rDPZEgAVG8', 'TU7ZSIidYq', 'MFmZfSwwAw', 'tBvZCX2HG1', 'gnQZ3VwQto', 'hjhZQfV7mU', 'IaQZTE7FCN', 'yklZlSktqT', 'TxSZATNepT', 'KdTZ7kIQig'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, hluDHtjT4EfvxDCuWZ.csHigh entropy of concatenated method names: 'iGNQE1g2pQ', 'w7MQfrl4Tk', 'YWiQ38iRwA', 'aytQT6DLQg', 'XSYQl1uqD1', 'r0a3bpZldC', 'YsK354ixGi', 'Ppe3MtnjaB', 'PN63NKydRF', 'RP33WiM6sR'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, YySA4CRAfZopcXJlUS.csHigh entropy of concatenated method names: 'yapJdUPGJe', 'pVXJZ8Td9a', 'mwmJqlJppf', 'umLJSDvXxr', 'OM3Jfqkdsp', 'hsFJ3Hy4o7', 'yclJQiulkk', 'GoxtMo8HxC', 'B13tNG86ta', 'nRltWRxmYA'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, BIropUwKGWAP0KsEjt.csHigh entropy of concatenated method names: 'Sy5neDPs0Q', 'R7Pnrho2Xr', 'dfxnjubFqk', 'DKUnicVoUJ', 'Ap7n6weswt', 'BEDnBPbkbl', 'Tk7nsBAkr5', 'n5VnUaPVif', 'pu0nuhnQjw', 'b6InXtQpVK'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, uSAGG0NJjPyxhOyBIw.csHigh entropy of concatenated method names: 'DLwtShvCx1', 'AY8tf7sWHg', 'fdEtC293gF', 'PJqt3pRraO', 'KHqtQfyY5V', 'xlZtTVqaqn', 'it3tlF3oDs', 'y7CtA1deBf', 'Pptt7sngiA', 'Rg9t9QVuUc'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, hTp9K4fUflI2NTAFdZ.csHigh entropy of concatenated method names: 'Dispose', 'A14dWf93Ys', 'o9rxifJRPL', 'e5WGGCFm5A', 'CHSdRAGG0J', 'GPydzxhOyB', 'ProcessDialogKey', 'zwQxhRCHjl', 'tSyxdmtEmh', 'nLuxxRySA4'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, DUANteqPTww7e4XBnT.csHigh entropy of concatenated method names: 'AJkdTF8wPw', 'pFddlnjAJo', 'IWrd7aNTNR', 'mBed9sckfV', 'dbXd4Bp3lu', 'RHtdGT4Efv', 'GntuQpT6w9u1i9Xht9', 'lltGtmLfGaW8oTFwkM', 'EwVddjTwK2', 'YEKdZOOyVL'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, OnYsWAgpGSVkWwb4h1.csHigh entropy of concatenated method names: 'ToString', 'LIIGXrbReS', 'BDTGicQcrj', 'fGoGoRyavJ', 'SCjG6Ph8t1', 'JRdGBO5Saq', 'Os9G8IgnLk', 'EgvGss6OYs', 'dsuGUZuDDN', 'vZXG2J018B'
                    Source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, yBjtk8xgpnq3MBFwn4.csHigh entropy of concatenated method names: 'hybViWf0V', 'aHZIrJ3lO', 'GiSvbpDOl', 'edGKqxg2F', 'DaxriVfbi', 'm2l12dgiq', 'n37nINcbRy2PjSNYwe', 'CLqNoogrCtScT2e7Cf', 'w3pGP4UDg42ZZ6aXDV', 'gjgttsp5L'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7252, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: 15F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: 50A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: 9480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: A480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: A690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: B690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: C0A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: D0A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: E0A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: 2920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5317Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3806Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWindow / User API: threadDelayed 1208Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWindow / User API: threadDelayed 3737Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7272Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7740Thread sleep count: 1208 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7740Thread sleep count: 3737 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99532s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99407s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -99063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -98000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -97891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -97781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -97438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -97328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exe TID: 7736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99532Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99407Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99282Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99172Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98688Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98563Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98219Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98109Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 98000Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 97891Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 97781Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 97438Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 97328Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Remittance Receipt.exe, 00000000.00000002.1706846848.00000000013B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Remittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe"
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeMemory written: C:\Users\user\Desktop\Remittance Receipt.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeProcess created: C:\Users\user\Desktop\Remittance Receipt.exe "C:\Users\user\Desktop\Remittance Receipt.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Users\user\Desktop\Remittance Receipt.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Users\user\Desktop\Remittance Receipt.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.Remittance Receipt.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4c38430.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7252, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7468, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Remittance Receipt.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.Remittance Receipt.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4c38430.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7252, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7468, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.Remittance Receipt.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4c38430.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4bbb7f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4c38430.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Remittance Receipt.exe.4b3f3d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7252, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Remittance Receipt.exe PID: 7468, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Remittance Receipt.exe65%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                    Remittance Receipt.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		unknown
                      smtp.privateemail.com
                      		66.29.159.53
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.fontbureau.comRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersGRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://sectigo.com/CPS0Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/bTheRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/Remittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.sectigo.com0Remittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2938474547.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/DataSet1.xsdRemittance Receipt.exefalse
                              		unknown
                              http://www.tiro.comRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.org/tRemittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://smtp.privateemail.comRemittance Receipt.exe, 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.carterandcone.comlRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.orgRemittance Receipt.exe, 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-user.htmlRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8Remittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRemittance Receipt.exe, 00000000.00000002.1707885261.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Remittance Receipt.exe, 00000003.00000002.2939186420.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comRemittance Receipt.exe, 00000000.00000002.1713130239.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.12.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                66.29.159.53
                                		smtp.privateemail.comUnited States
                                		19538ADVANTAGECOMUStrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1543469
                                Start date and time:2024-10-27 23:20:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 6s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Remittance Receipt.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@6/6@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 92
                                • Number of non-executed functions: 24
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: Remittance Receipt.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                18:20:59API Interceptor26x Sleep call for process: Remittance Receipt.exe modified
                                18:21:01API Interceptor13x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.12.205Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                • api.ipify.org/
                                perfcc.elfGet hashmaliciousXmrigBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                66.29.159.53Payment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  HSBC Payment Advice_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    Payment List.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      INQUIRY RE44535_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                                  1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    smtp.privateemail.comPayment Slip.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 66.29.159.53
                                                    HSBC Payment Advice_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 66.29.159.53
                                                    Payment List.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 66.29.159.53
                                                    INQUIRY RE44535_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 66.29.159.53
                                                    Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 66.29.159.53
                                                    Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 66.29.159.53
                                                    e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 66.29.159.53
                                                    17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 66.29.159.53
                                                    Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 66.29.159.53
                                                    1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 66.29.159.53
                                                    api.ipify.orgSecuriteInfo.com.Win64.Malware-gen.4046.15809.exeGet hashmaliciousEICARBrowse
                                                    • 104.26.13.205
                                                    SecuriteInfo.com.Win64.Malware-gen.4046.15809.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    SUNNY HONG VSL PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 172.67.74.152
                                                    SecuriteInfo.com.Trojan.Inject5.10837.16335.2292.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    Rampage.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                    • 104.26.13.205
                                                    Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.12.205
                                                    https://pub-535a4999ab4b4c1e81647bad9b888e40.r2.dev/onedrivefresh.htmlGet hashmaliciousUnknownBrowse
                                                    • 172.67.74.152
                                                    https://ipfox.co.uk/pages/thanks.html#RXJpay5Kb2huc29uQGFnLnN0YXRlLm1uLnVzGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205
                                                    https://gf5q.sqpbij.shop/?c2V0aC5wZW1iZXJAYXV0b3BhcnRpbnRsLmNvbTp3NThyNgGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.26.13.205

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.170.64
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.95.91
                                                    https://bit.ly/3Cbulr1Get hashmaliciousUnknownBrowse
                                                    • 172.67.154.120
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.95.91
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.95.91
                                                    SecuriteInfo.com.Win64.Malware-gen.13500.20938.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                    • 162.159.135.232
                                                    PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 188.114.97.3
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 104.21.95.91
                                                    SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.0.5
                                                    SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                    • 104.20.23.46
                                                    ADVANTAGECOMUSmm.exeGet hashmaliciousUnknownBrowse
                                                    • 66.29.137.43
                                                    rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    9b7dlGj5Gq.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.141.40
                                                    https://vestliaresort-my.sharepoint.com/:o:/g/personal/ziga_vestlia_no/Eky579E0q2lOhPOUshOGsHcBMaZdCfwRcrEzHT2ZmUZxNA?e=ksWeaaGet hashmaliciousUnknownBrowse
                                                    • 66.29.147.206
                                                    https://new-doctor-booking-php-mysql.filemakrxpert.com/Get hashmaliciousUnknownBrowse
                                                    • 66.29.148.84
                                                    https://mairenaflores.com/office.htmlGet hashmaliciousUnknownBrowse
                                                    • 66.29.141.48
                                                    rAGROTIS10599242024.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    oO3ZmCAeLQ.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    https://app.powerbi.com/view?r=eyJrIjoiOWEwN2RmMjItNjhiOC00Njc0LTliM2MtNzdiNWRiOGVlMWIyIiwidCI6IjJkMTNkMGU4LTI1YjgtNDE2Yi04YzQ1LTVkZDU4MDgzYmVjZCJ9Get hashmaliciousUnknownBrowse
                                                    • 66.29.131.166
                                                    https:/app.powerbi.com/view?r=eyJrIjoiOWEwN2RmMjItNjhiOC00Njc0LTliM2MtNzdiNWRiOGVlMWIyIiwidCI6IjJkMTNkMGU4LTI1YjgtNDE2Yi04YzQ1LTVkZDU4MDgzYmVjZCJ9Get hashmaliciousEvilProxyBrowse
                                                    • 66.29.131.166

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0ePbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 104.26.12.205
                                                    SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exeGet hashmaliciousBlank GrabberBrowse
                                                    • 104.26.12.205
                                                    SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    SecuriteInfo.com.Win64.Trojan.Agent.2S9FJA.25494.32016.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    sheisverynicegirlwithgreatworkingskillwithgereatniceworkign.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                    • 104.26.12.205
                                                    seemeherewithgreatthingsentiretimewithgreatthingsonhere.htaGet hashmaliciousCobalt StrikeBrowse
                                                    • 104.26.12.205
                                                    seethebestthingswhichgivennewthingswithmewesee.htaGet hashmaliciousCobalt StrikeBrowse
                                                    • 104.26.12.205
                                                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlxs.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 104.26.12.205
                                                    Factura-2410-CFDI.batGet hashmaliciousUnknownBrowse
                                                    • 104.26.12.205
                                                    SUNNY HONG VSL PARTICULARS.xlsx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    • 104.26.12.205

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance Receipt.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Remittance Receipt.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1172
                                                    Entropy (8bit):5.357042452875322
                                                    Encrypted:false
                                                    SSDEEP:24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
                                                    MD5:475D428E7231D005EEA5DB556DBED03F
                                                    SHA1:3D603ED4280E0017D1BEB124D68183F8283B5C22
                                                    SHA-256:1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
                                                    SHA-512:7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3dcxi2ey.vzw.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esxcg2rg.0v0.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_peaivkta.owi.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfibl34n.wjg.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.933068500226317
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:Remittance Receipt.exe
                                                    File size:714'752 bytes
                                                    MD5:db9a323fde82eac0d972eec0acde0209
                                                    SHA1:88ead16576193df0d647c722d70b79f50300e852
                                                    SHA256:e93171125e897ba3a556f1b0171629d2a9aaa3298510f97b5d7cda44b9c3c313
                                                    SHA512:d22a3073ea9d5c6111e61200521fa9453fc5c5814a4cd64595d5d297c6c5f9d2b5d186d10700728d19087a72c8c392a87797ffe5a48440a42165b095f12204ad
                                                    SSDEEP:12288:KCfiaaMHHsczu6ko6E52x82u6/DsXsW7mbXt8V8XME+L:KYi5MH1z9J2du6LsXGtm8Ra
                                                    TLSH:2DE412913BA88B61C9FEA7F54A72595147B3716F587AE34C8DC230DD0073B860E90B6B
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q_................0.............n.... ........@.. .......................@............@................................

                                                    File Icon

                                                    Icon Hash:90cececece8e8eb0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4afa6e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xBF845F71 [Mon Oct 26 22:17:21 2071 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xafa1b0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x630.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xad8f80x70.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xada740xadc0003ccd812af1ba1ea2ba05ca705b6677cFalse0.9512294851618706data7.9413447657152325IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xb00000x6300x8007ae99a757c8bb4e800e24f03e06d4f33False0.33837890625data3.4779937429790824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xb20000xc0x20049a41c9a66ff4b862ab63a067c950e33False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0xb00900x3a0data0.4213362068965517
                                                    RT_MANIFEST0xb04400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 27, 2024 23:21:01.566791058 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:01.566838980 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:01.566966057 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:01.575361013 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:01.575371027 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.182329893 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.182470083 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:02.185472012 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:02.185484886 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.185915947 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.227716923 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:02.251667023 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:02.295331955 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.433902979 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.433978081 CET44349733104.26.12.205192.168.2.4
                                                    Oct 27, 2024 23:21:02.434118986 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:02.439871073 CET49733443192.168.2.4104.26.12.205
                                                    Oct 27, 2024 23:21:03.439301014 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:03.444751978 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:03.444957972 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:04.640562057 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:04.640748978 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:04.646204948 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:04.786503077 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:04.786648989 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:04.792443991 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:04.932595968 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:04.933202028 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:04.938636065 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166516066 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166553974 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166605949 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166639090 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166726112 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166749001 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.166749001 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.166755915 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.166903973 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.192286015 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.198107958 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.338932037 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.343039989 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.348830938 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.489298105 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.490252972 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.495857954 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.637387991 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.637939930 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.643476009 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.788176060 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.788491011 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.794080019 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.935563087 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:05.935863972 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:05.941266060 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:06.089720011 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:06.096009970 CET49735587192.168.2.466.29.159.53
                                                    Oct 27, 2024 23:21:06.102263927 CET5874973566.29.159.53192.168.2.4
                                                    Oct 27, 2024 23:21:06.102334023 CET49735587192.168.2.466.29.159.53

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 27, 2024 23:21:01.552128077 CET5438953192.168.2.41.1.1.1
                                                    Oct 27, 2024 23:21:01.560538054 CET53543891.1.1.1192.168.2.4
                                                    Oct 27, 2024 23:21:03.423233032 CET4961053192.168.2.41.1.1.1
                                                    Oct 27, 2024 23:21:03.438663006 CET53496101.1.1.1192.168.2.4

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Oct 27, 2024 23:21:01.552128077 CET192.168.2.41.1.1.10x2b60Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                    Oct 27, 2024 23:21:03.423233032 CET192.168.2.41.1.1.10x90fbStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Oct 27, 2024 23:21:01.560538054 CET1.1.1.1192.168.2.40x2b60No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                    Oct 27, 2024 23:21:01.560538054 CET1.1.1.1192.168.2.40x2b60No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                    Oct 27, 2024 23:21:01.560538054 CET1.1.1.1192.168.2.40x2b60No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                    Oct 27, 2024 23:21:03.438663006 CET1.1.1.1192.168.2.40x90fbNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • api.ipify.org

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.449733104.26.12.2054437468C:\Users\user\Desktop\Remittance Receipt.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-10-27 22:21:02 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2024-10-27 22:21:02 UTC211INHTTP/1.1 200 OK
                                                    Date: Sun, 27 Oct 2024 22:21:02 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 14
                                                    Connection: close
                                                    Vary: Origin
                                                    cf-cache-status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 8d9613a97a9947a9-DFW
                                                    2024-10-27 22:21:02 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30
                                                    Data Ascii: 173.254.250.90


                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Oct 27, 2024 23:21:04.640562057 CET5874973566.29.159.53192.168.2.4220 PrivateEmail.com prod Mail Node
                                                    Oct 27, 2024 23:21:04.640748978 CET49735587192.168.2.466.29.159.53EHLO 932923
                                                    Oct 27, 2024 23:21:04.786503077 CET5874973566.29.159.53192.168.2.4250-mta-11.privateemail.com
                                                    250-PIPELINING
                                                    250-SIZE 81788928
                                                    250-ETRN
                                                    250-AUTH PLAIN LOGIN
                                                    250-ENHANCEDSTATUSCODES
                                                    250-8BITMIME
                                                    250-CHUNKING
                                                    250 STARTTLS
                                                    Oct 27, 2024 23:21:04.786648989 CET49735587192.168.2.466.29.159.53STARTTLS
                                                    Oct 27, 2024 23:21:04.932595968 CET5874973566.29.159.53192.168.2.4220 Ready to start TLS

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:18:20:57
                                                    Start date:27/10/2024
                                                    Path:C:\Users\user\Desktop\Remittance Receipt.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Remittance Receipt.exe"
                                                    Imagebase:0xce0000
                                                    File size:714'752 bytes
                                                    MD5 hash:DB9A323FDE82EAC0D972EEC0ACDE0209
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1708383480.0000000004938000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:18:21:00
                                                    Start date:27/10/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Remittance Receipt.exe"
                                                    Imagebase:0x770000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:18:21:00
                                                    Start date:27/10/2024
                                                    Path:C:\Users\user\Desktop\Remittance Receipt.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Remittance Receipt.exe"
                                                    Imagebase:0x4d0000
                                                    File size:714'752 bytes
                                                    MD5 hash:DB9A323FDE82EAC0D972EEC0ACDE0209
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2936779609.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2939186420.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2939186420.000000000299B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:18:21:00
                                                    Start date:27/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7699e0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:13.3%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:2.1%
                                                      Total number of Nodes:289
                                                      Total number of Limit Nodes:19
                                                      execution_graph 43097 79a38fa 43098 79a3834 43097->43098 43101 79a40b8 43098->43101 43105 79a40b1 43098->43105 43102 79a40fe OutputDebugStringW 43101->43102 43104 79a4137 43102->43104 43104->43098 43107 79a40fe OutputDebugStringW 43105->43107 43108 79a4137 43107->43108 43108->43098 43109 79a3778 43110 79a379c 43109->43110 43111 79a40b8 OutputDebugStringW 43110->43111 43112 79a40b1 OutputDebugStringW 43110->43112 43111->43110 43112->43110 42889 15fd3d8 42890 15fd41e GetCurrentProcess 42889->42890 42892 15fd469 42890->42892 42893 15fd470 GetCurrentThread 42890->42893 42892->42893 42894 15fd4ad GetCurrentProcess 42893->42894 42895 15fd4a6 42893->42895 42896 15fd4e3 42894->42896 42895->42894 42897 15fd50b GetCurrentThreadId 42896->42897 42898 15fd53c 42897->42898 42899 79aee1d 42904 79afe00 42899->42904 42921 79afe51 42899->42921 42939 79afdf0 42899->42939 42900 79aee2c 42905 79afe1a 42904->42905 42906 79afe22 42905->42906 42956 f70027d 42905->42956 42961 f7007db 42905->42961 42966 f7002d6 42905->42966 42970 f700114 42905->42970 42978 f700371 42905->42978 42983 f7001f0 42905->42983 42991 f70048e 42905->42991 42996 f7005ed 42905->42996 43001 f700589 42905->43001 43005 f700848 42905->43005 43010 f700424 42905->43010 43018 f70013f 42905->43018 43027 f70029e 42905->43027 43035 f70075d 42905->43035 42906->42900 42922 79afe5e 42921->42922 42923 79afdfb 42921->42923 42922->42900 42924 f7001f0 4 API calls 42923->42924 42925 f700371 2 API calls 42923->42925 42926 f700114 4 API calls 42923->42926 42927 f7002d6 2 API calls 42923->42927 42928 f7007db 2 API calls 42923->42928 42929 f70027d 2 API calls 42923->42929 42930 f70075d 2 API calls 42923->42930 42931 f70029e 4 API calls 42923->42931 42932 f70013f 4 API calls 42923->42932 42933 f700424 4 API calls 42923->42933 42934 f700848 2 API calls 42923->42934 42935 f700589 2 API calls 42923->42935 42936 79afe22 42923->42936 42937 f7005ed 2 API calls 42923->42937 42938 f70048e 2 API calls 42923->42938 42924->42936 42925->42936 42926->42936 42927->42936 42928->42936 42929->42936 42930->42936 42931->42936 42932->42936 42933->42936 42934->42936 42935->42936 42936->42900 42937->42936 42938->42936 42940 79afdfb 42939->42940 42941 f7001f0 4 API calls 42940->42941 42942 f700371 2 API calls 42940->42942 42943 f700114 4 API calls 42940->42943 42944 f7002d6 2 API calls 42940->42944 42945 f7007db 2 API calls 42940->42945 42946 f70027d 2 API calls 42940->42946 42947 f70075d 2 API calls 42940->42947 42948 f70029e 4 API calls 42940->42948 42949 f70013f 4 API calls 42940->42949 42950 f700424 4 API calls 42940->42950 42951 f700848 2 API calls 42940->42951 42952 f700589 2 API calls 42940->42952 42953 79afe22 42940->42953 42954 f7005ed 2 API calls 42940->42954 42955 f70048e 2 API calls 42940->42955 42941->42953 42942->42953 42943->42953 42944->42953 42945->42953 42946->42953 42947->42953 42948->42953 42949->42953 42950->42953 42951->42953 42952->42953 42953->42900 42954->42953 42955->42953 42957 f700286 42956->42957 42958 f700291 42957->42958 43040 79ae190 42957->43040 43044 79ae188 42957->43044 42958->42906 42962 f70038f 42961->42962 42963 f700b35 42962->42963 43048 79ae268 42962->43048 43052 79ae260 42962->43052 42963->42906 42968 79ae188 Wow64SetThreadContext 42966->42968 42969 79ae190 Wow64SetThreadContext 42966->42969 42967 f7002f5 42967->42906 42968->42967 42969->42967 42971 f70011d 42970->42971 43056 79ae9e8 42971->43056 43060 79ae9dd 42971->43060 42979 f700377 42978->42979 42980 f700b35 42979->42980 42981 79ae268 VirtualAllocEx 42979->42981 42982 79ae260 VirtualAllocEx 42979->42982 42980->42906 42981->42979 42982->42979 42984 f700182 42983->42984 42987 79ae9e8 CreateProcessA 42984->42987 42988 79ae9dd CreateProcessA 42984->42988 42985 f70025e 42986 f700291 42985->42986 42989 79ae188 Wow64SetThreadContext 42985->42989 42990 79ae190 Wow64SetThreadContext 42985->42990 42986->42906 42986->42986 42987->42985 42988->42985 42989->42985 42990->42985 42992 f700494 42991->42992 43064 79ae328 42992->43064 43068 79ae320 42992->43068 42993 f700829 42997 f7005f3 42996->42997 43072 79ae848 42997->43072 43076 79ae850 42997->43076 42998 f700619 43003 79ae328 WriteProcessMemory 43001->43003 43004 79ae320 WriteProcessMemory 43001->43004 43002 f7005b0 43003->43002 43004->43002 43006 f700855 43005->43006 43080 79ae0d9 43006->43080 43084 79ae0e0 43006->43084 43007 f70093f 43011 f700429 43010->43011 43014 79ae328 WriteProcessMemory 43011->43014 43015 79ae320 WriteProcessMemory 43011->43015 43012 f700286 43012->42906 43013 f700291 43012->43013 43016 79ae188 Wow64SetThreadContext 43012->43016 43017 79ae190 Wow64SetThreadContext 43012->43017 43013->42906 43014->43012 43015->43012 43016->43012 43017->43012 43020 f70011d 43018->43020 43019 f70016e 43019->42906 43020->43019 43025 79ae9e8 CreateProcessA 43020->43025 43026 79ae9dd CreateProcessA 43020->43026 43021 f70025e 43022 f700291 43021->43022 43023 79ae188 Wow64SetThreadContext 43021->43023 43024 79ae190 Wow64SetThreadContext 43021->43024 43022->42906 43023->43021 43024->43021 43025->43021 43026->43021 43028 f7002c1 43027->43028 43031 79ae328 WriteProcessMemory 43028->43031 43032 79ae320 WriteProcessMemory 43028->43032 43029 f700286 43029->42906 43030 f700291 43029->43030 43033 79ae188 Wow64SetThreadContext 43029->43033 43034 79ae190 Wow64SetThreadContext 43029->43034 43030->42906 43031->43029 43032->43029 43033->43029 43034->43029 43037 f70038f 43035->43037 43036 f700b35 43036->42906 43037->43036 43038 79ae268 VirtualAllocEx 43037->43038 43039 79ae260 VirtualAllocEx 43037->43039 43038->43037 43039->43037 43041 79ae1d5 Wow64SetThreadContext 43040->43041 43043 79ae21d 43041->43043 43043->42957 43045 79ae1d5 Wow64SetThreadContext 43044->43045 43047 79ae21d 43045->43047 43047->42957 43049 79ae2a8 VirtualAllocEx 43048->43049 43051 79ae2e5 43049->43051 43051->42962 43053 79ae2a8 VirtualAllocEx 43052->43053 43055 79ae2e5 43053->43055 43055->42962 43057 79aea71 43056->43057 43057->43057 43058 79aebd6 CreateProcessA 43057->43058 43059 79aec33 43058->43059 43061 79ae9e8 43060->43061 43061->43061 43062 79aebd6 CreateProcessA 43061->43062 43063 79aec33 43062->43063 43065 79ae370 WriteProcessMemory 43064->43065 43067 79ae3c7 43065->43067 43067->42993 43069 79ae328 WriteProcessMemory 43068->43069 43071 79ae3c7 43069->43071 43071->42993 43073 79ae850 ReadProcessMemory 43072->43073 43075 79ae8df 43073->43075 43075->42998 43077 79ae89b ReadProcessMemory 43076->43077 43079 79ae8df 43077->43079 43079->42998 43081 79ae120 ResumeThread 43080->43081 43083 79ae151 43081->43083 43083->43007 43085 79ae120 ResumeThread 43084->43085 43087 79ae151 43085->43087 43087->43007 43124 15f4668 43125 15f467a 43124->43125 43126 15f4686 43125->43126 43130 15f4778 43125->43130 43135 15f4204 43126->43135 43128 15f46a5 43131 15f479d 43130->43131 43139 15f4878 43131->43139 43143 15f4888 43131->43143 43136 15f420f 43135->43136 43151 15f5c74 43136->43151 43138 15f6ff0 43138->43128 43140 15f48af 43139->43140 43141 15f498c 43140->43141 43147 15f44f0 43140->43147 43144 15f48af 43143->43144 43145 15f44f0 CreateActCtxA 43144->43145 43146 15f498c 43144->43146 43145->43146 43148 15f5918 CreateActCtxA 43147->43148 43150 15f59db 43148->43150 43150->43150 43152 15f5c7f 43151->43152 43155 15f5c94 43152->43155 43154 15f7095 43154->43138 43156 15f5c9f 43155->43156 43159 15f5cc4 43156->43159 43158 15f717a 43158->43154 43160 15f5ccf 43159->43160 43163 15f5cf4 43160->43163 43162 15f726d 43162->43158 43164 15f5cff 43163->43164 43166 15f856b 43164->43166 43169 15fac19 43164->43169 43165 15f85a9 43165->43162 43166->43165 43173 15fcd00 43166->43173 43179 15fac50 43169->43179 43182 15fac40 43169->43182 43170 15fac2e 43170->43166 43174 15fccb3 43173->43174 43175 15fcd06 43173->43175 43174->43165 43176 15fcd55 43175->43176 43191 15fcec0 43175->43191 43195 15fceb0 43175->43195 43176->43165 43186 15fad48 43179->43186 43180 15fac5f 43180->43170 43183 15fac50 43182->43183 43185 15fad48 GetModuleHandleW 43183->43185 43184 15fac5f 43184->43170 43185->43184 43187 15fad7c 43186->43187 43188 15fad59 43186->43188 43187->43180 43188->43187 43189 15faf80 GetModuleHandleW 43188->43189 43190 15fafad 43189->43190 43190->43180 43192 15fcecd 43191->43192 43194 15fcf07 43192->43194 43199 15fb720 43192->43199 43194->43176 43197 15fcecd 43195->43197 43196 15fcf07 43196->43176 43197->43196 43198 15fb720 GetModuleHandleW 43197->43198 43198->43196 43200 15fb72b 43199->43200 43202 15fdc18 43200->43202 43203 15fd024 43200->43203 43202->43202 43204 15fd02f 43203->43204 43205 15f5cf4 GetModuleHandleW 43204->43205 43206 15fdc87 43205->43206 43206->43202 43088 f700ef8 43089 f701083 43088->43089 43090 f700f1e 43088->43090 43090->43089 43093 f701171 PostMessageW 43090->43093 43095 f701178 PostMessageW 43090->43095 43094 f7011e4 43093->43094 43094->43090 43096 f7011e4 43095->43096 43096->43090 43113 7214288 43114 72142b3 43113->43114 43115 72142ac 43113->43115 43119 72142da 43114->43119 43120 7212d8c 43114->43120 43118 7212d8c GetCurrentThreadId 43118->43119 43121 7212d97 43120->43121 43122 72145ef GetCurrentThreadId 43121->43122 43123 72142d0 43121->43123 43122->43123 43123->43118 43207 721f3d8 43208 721f3e4 43207->43208 43212 79a1b00 43208->43212 43217 79a1af0 43208->43217 43209 721f3f5 43213 79a1b1c 43212->43213 43222 79a2a28 43213->43222 43227 79a2a38 43213->43227 43214 79a1bc6 43214->43209 43218 79a1b1c 43217->43218 43220 79a2a38 2 API calls 43218->43220 43221 79a2a28 2 API calls 43218->43221 43219 79a1bc6 43219->43209 43220->43219 43221->43219 43223 79a2a4a 43222->43223 43232 79a2a78 43223->43232 43237 79a2a68 43223->43237 43224 79a2a5e 43224->43214 43228 79a2a4a 43227->43228 43230 79a2a78 2 API calls 43228->43230 43231 79a2a68 2 API calls 43228->43231 43229 79a2a5e 43229->43214 43230->43229 43231->43229 43233 79a2a92 43232->43233 43242 79a2b38 43233->43242 43247 79a2b48 43233->43247 43234 79a2ab5 43234->43224 43238 79a2a92 43237->43238 43240 79a2b38 2 API calls 43238->43240 43241 79a2b48 2 API calls 43238->43241 43239 79a2ab5 43239->43224 43240->43239 43241->43239 43243 79a2b46 43242->43243 43252 79a2ca8 43243->43252 43255 79a2ca0 43243->43255 43244 79a2bf3 43244->43234 43248 79a2b6c 43247->43248 43250 79a2ca8 NtQueryInformationProcess 43248->43250 43251 79a2ca0 NtQueryInformationProcess 43248->43251 43249 79a2bf3 43249->43234 43250->43249 43251->43249 43253 79a2cf3 NtQueryInformationProcess 43252->43253 43254 79a2d36 43253->43254 43254->43244 43256 79a2cf3 NtQueryInformationProcess 43255->43256 43257 79a2d36 43256->43257 43257->43244 43258 15fd620 DuplicateHandle 43259 15fd6b6 43258->43259

                                                      Executed Functions

                                                      Function 0721A158 Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 646 721a158-721a17b 647 721a186-721a1a6 646->647 648 721a17d-721a183 646->648 651 721a1a8 647->651 652 721a1ad-721a1b4 647->652 648->647 653 721a53c-721a545 651->653 654 721a1b6-721a1c1 652->654 655 721a1c7-721a1da 654->655 656 721a54d-721a55a 654->656 659 721a1f0-721a20b 655->659 660 721a1dc-721a1ea 655->660 664 721a20d-721a213 659->664 665 721a22f-721a232 659->665 660->659 663 721a4c4-721a4cb 660->663 663->653 668 721a4cd-721a4cf 663->668 666 721a215 664->666 667 721a21c-721a21f 664->667 669 721a238-721a23b 665->669 670 721a38c-721a392 665->670 666->667 666->670 672 721a252-721a258 666->672 673 721a47e-721a481 666->673 667->672 674 721a221-721a224 667->674 675 721a4d1-721a4d6 668->675 676 721a4de-721a4e4 668->676 669->670 671 721a241-721a247 669->671 670->673 677 721a398-721a39d 670->677 671->670 678 721a24d 671->678 679 721a25a-721a25c 672->679 680 721a25e-721a260 672->680 681 721a487-721a48d 673->681 682 721a548 673->682 683 721a22a 674->683 684 721a2be-721a2c4 674->684 675->676 676->656 685 721a4e6-721a4eb 676->685 677->673 678->673 689 721a26a-721a273 679->689 680->689 690 721a4b2-721a4b6 681->690 691 721a48f-721a497 681->691 682->656 683->673 684->673 688 721a2ca-721a2d0 684->688 686 721a530-721a533 685->686 687 721a4ed-721a4f2 685->687 686->682 699 721a535-721a53a 686->699 687->682 692 721a4f4 687->692 693 721a2d2-721a2d4 688->693 694 721a2d6-721a2d8 688->694 696 721a275-721a280 689->696 697 721a286-721a2ae 689->697 690->663 698 721a4b8-721a4be 690->698 691->656 695 721a49d-721a4ac 691->695 700 721a4fb-721a500 692->700 701 721a2e2-721a2f9 693->701 694->701 695->659 695->690 696->673 696->697 719 721a3a2-721a3d8 697->719 720 721a2b4-721a2b9 697->720 698->654 698->663 699->653 699->668 702 721a522-721a524 700->702 703 721a502-721a504 700->703 712 721a324-721a34b 701->712 713 721a2fb-721a314 701->713 702->682 710 721a526-721a529 702->710 707 721a513-721a519 703->707 708 721a506-721a50b 703->708 707->656 711 721a51b-721a520 707->711 708->707 710->686 711->702 715 721a4f6-721a4f9 711->715 712->682 724 721a351-721a354 712->724 713->719 725 721a31a-721a31f 713->725 715->682 715->700 726 721a3e5-721a3ed 719->726 727 721a3da-721a3de 719->727 720->719 724->682 728 721a35a-721a383 724->728 725->719 726->682 731 721a3f3-721a3f8 726->731 729 721a3e0-721a3e3 727->729 730 721a3fd-721a401 727->730 728->719 743 721a385-721a38a 728->743 729->726 729->730 732 721a420-721a424 730->732 733 721a403-721a409 730->733 731->673 736 721a426-721a42c 732->736 737 721a42e-721a44a 732->737 733->732 735 721a40b-721a413 733->735 735->682 738 721a419-721a41e 735->738 736->737 740 721a453-721a457 736->740 744 721a44d call 721a730 737->744 745 721a44d call 721a740 737->745 738->673 740->673 741 721a459-721a475 740->741 741->673 743->719 744->740 745->740
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (okq$(okq$,oq$,oq
                                                      • API String ID: 0-2865278577
                                                      • Opcode ID: 4ba32f2599f5ff76dd7c8d80a13e0dc37c7d74b3f7808a92e7490c1bd91aa89a
                                                      • Instruction ID: 5ca576fa93a768bf9ad6c221421a08f4f24e1e0d2dc0d792113b224dbeeac941
                                                      • Opcode Fuzzy Hash: 4ba32f2599f5ff76dd7c8d80a13e0dc37c7d74b3f7808a92e7490c1bd91aa89a
                                                      • Instruction Fuzzy Hash: 00D13EB0A2111ADFCB14CFA9D988AADBBF6FF99300F15C165E405A7264D730ED41CB50
                                                      Function 0721CCD8 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (okq$4'kq
                                                      • API String ID: 0-1210385896
                                                      • Opcode ID: 4e459206ac68eadade057c3ef526dda0e7ee27b798465aabd5447d53097b6293
                                                      • Instruction ID: d5e98de07503b181b02ef6ceac63d9662e9c17e8e99e2627c05a240f0dbf9bab
                                                      • Opcode Fuzzy Hash: 4e459206ac68eadade057c3ef526dda0e7ee27b798465aabd5447d53097b6293
                                                      • Instruction Fuzzy Hash: 1472A0B5B2064ADFCF15CF68D984AAEBBF2FF98300F158559E4199B261D730E881CB50
                                                      Function 072199F0 Relevance: 3.1, Strings: 2, Instructions: 560COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1709 72199f0-7219a26 1710 7219ff1-721a04c call 721a158 1709->1710 1711 7219a2c-7219a3a 1709->1711 1719 721a09c-721a0a0 1710->1719 1720 721a04e-721a052 1710->1720 1714 7219a68-7219a79 1711->1714 1715 7219a3c-7219a4d 1711->1715 1716 7219a7b-7219a7f 1714->1716 1717 7219aea-7219afe 1714->1717 1715->1714 1726 7219a4f-7219a5b 1715->1726 1721 7219a81-7219a8d 1716->1721 1722 7219a9a-7219aa3 1716->1722 1856 7219b01 call 72199e0 1717->1856 1857 7219b01 call 72199f0 1717->1857 1730 721a0a2-721a0b1 1719->1730 1731 721a0b7-721a0cb 1719->1731 1727 721a061-721a068 1720->1727 1728 721a054-721a059 1720->1728 1732 7219a93-7219a95 1721->1732 1733 7219e1b-7219e66 1721->1733 1724 7219aa9-7219aac 1722->1724 1725 7219dac 1722->1725 1724->1725 1734 7219ab2-7219ad1 1724->1734 1735 7219db1-7219e14 1725->1735 1726->1735 1736 7219a61-7219a63 1726->1736 1737 721a13e-721a152 1727->1737 1738 721a06e-721a075 1727->1738 1728->1727 1729 7219b07-7219b0d 1739 7219b16-7219b1d 1729->1739 1740 7219b0f-7219b11 1729->1740 1741 721a0b3-721a0b5 1730->1741 1742 721a0dd-721a0e7 1730->1742 1852 721a0cd call 721cee3 1731->1852 1853 721a0cd call 721ccd2 1731->1853 1854 721a0cd call 721cef6 1731->1854 1855 721a0cd call 721ccd8 1731->1855 1743 7219da2-7219da9 1732->1743 1805 7219e6d-7219eec 1733->1805 1734->1725 1768 7219ad7-7219add 1734->1768 1735->1733 1736->1743 1738->1719 1749 721a077-721a07b 1738->1749 1747 7219b23-7219b3a 1739->1747 1748 7219c0b-7219c1c 1739->1748 1740->1743 1750 721a0d3-721a0da 1741->1750 1744 721a0f1-721a0f5 1742->1744 1745 721a0e9-721a0ef 1742->1745 1752 721a0fd-721a137 1744->1752 1754 721a0f7 1744->1754 1745->1752 1747->1748 1762 7219b40-7219b4c 1747->1762 1766 7219c46-7219c4c 1748->1766 1767 7219c1e-7219c2b 1748->1767 1756 721a08a-721a091 1749->1756 1757 721a07d-721a082 1749->1757 1752->1737 1754->1752 1756->1737 1761 721a097-721a09a 1756->1761 1757->1756 1761->1750 1772 7219b52-7219bbe 1762->1772 1773 7219c04-7219c06 1762->1773 1770 7219c67-7219c6d 1766->1770 1771 7219c4e-7219c5a 1766->1771 1767->1770 1783 7219c2d-7219c39 1767->1783 1768->1710 1775 7219ae3-7219ae7 1768->1775 1780 7219c73-7219c90 1770->1780 1781 7219d9f 1770->1781 1778 7219c60-7219c62 1771->1778 1779 7219f03-7219f66 1771->1779 1808 7219bc0-7219bea 1772->1808 1809 7219bec-7219c01 1772->1809 1773->1743 1775->1717 1778->1743 1832 7219f6d-7219fec 1779->1832 1780->1725 1799 7219c96-7219c99 1780->1799 1781->1743 1789 7219ef1-7219efc 1783->1789 1790 7219c3f-7219c41 1783->1790 1789->1779 1790->1743 1799->1710 1801 7219c9f-7219cc5 1799->1801 1801->1781 1814 7219ccb-7219cd7 1801->1814 1808->1809 1809->1773 1816 7219d9b-7219d9d 1814->1816 1817 7219cdd-7219d55 1814->1817 1816->1743 1833 7219d83-7219d98 1817->1833 1834 7219d57-7219d81 1817->1834 1833->1816 1834->1833 1852->1750 1853->1750 1854->1750 1855->1750 1856->1729 1857->1729
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (okq$Hoq
                                                      • API String ID: 0-4134915641
                                                      • Opcode ID: 6d4c6cd763cc710aa2b8da20d4574a4d800b8f6f3a281adfe89d113985d33c36
                                                      • Instruction ID: c3c3967c32ee548edaa9742b968c67b40aa6c268221e97acc3d4b83a1b43c5ef
                                                      • Opcode Fuzzy Hash: 6d4c6cd763cc710aa2b8da20d4574a4d800b8f6f3a281adfe89d113985d33c36
                                                      • Instruction Fuzzy Hash: 5B228FB0A1025A9FDB14DF69C954BAEBBF6FF88300F148429E84597391DF34AD81CB90
                                                      Function 079A2CA0 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 079A2D27
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID:
                                                      • API String ID: 1778838933-0
                                                      • Opcode ID: 80e9e9b1ffcc22bf4ab044bc3b2b8e27689cd5c76f7865e5e89ec5bdb93f6529
                                                      • Instruction ID: ae29c5b544824be070a093234df9e338a7a65a25ca64cfe6e387010b99f3441e
                                                      • Opcode Fuzzy Hash: 80e9e9b1ffcc22bf4ab044bc3b2b8e27689cd5c76f7865e5e89ec5bdb93f6529
                                                      • Instruction Fuzzy Hash: 74210FB6900249DFCB10CF9AD984ADEFBF4FB48324F20842AE958A7610C334A540CFA5
                                                      Function 079A2CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 079A2D27
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID:
                                                      • API String ID: 1778838933-0
                                                      • Opcode ID: e015f1584ac5cc4b956b1f9a091499cfcfbd9ab2113b36a5c97a74a913458eeb
                                                      • Instruction ID: ad7379a90b6cc73e1260497658461a04e0744451b5f1c57b547627a51a2dd838
                                                      • Opcode Fuzzy Hash: e015f1584ac5cc4b956b1f9a091499cfcfbd9ab2113b36a5c97a74a913458eeb
                                                      • Instruction Fuzzy Hash: 6A21C0B6901359EFCB10DF9AD984ADEFBF4FB48314F20842AE958A7210C375A544CFA5
                                                      Function 079A0040 Relevance: .5, Instructions: 506COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a573f99a51bb03a7e4794c8bc65383eee18b4770f7a9b8b90cfbefb4015b04d
                                                      • Instruction ID: 844cb068ea4dd905759ab5047506c7a0989af3059643f90792d03a1ec91422c7
                                                      • Opcode Fuzzy Hash: 7a573f99a51bb03a7e4794c8bc65383eee18b4770f7a9b8b90cfbefb4015b04d
                                                      • Instruction Fuzzy Hash: 014282B4E11219CFDB64CFA9C984B9DBBF2BF48315F1481A9E809A7355DB30A981CF50
                                                      Function 0721F408 Relevance: .5, Instructions: 482COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6230c471c43dee8e6b7f3f4a93e6e276d8ca850e7fa549fd378d4d518ed8088
                                                      • Instruction ID: 6b270fdae561e41a8e558428b15132981c998bc49c993015d64ff2f41de677a0
                                                      • Opcode Fuzzy Hash: a6230c471c43dee8e6b7f3f4a93e6e276d8ca850e7fa549fd378d4d518ed8088
                                                      • Instruction Fuzzy Hash: 3132D4B091221ACFDB50DF69C680A8EFBF2BF48315F55D195E418AB212DB30E981CF64
                                                      Function 0F701B60 Relevance: .3, Instructions: 341COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1717632405.000000000F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F700000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f700000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5b69d6ecbaa94929cd7461135427c74e8dc1fa03a67990f8f66509c040ae657
                                                      • Instruction ID: fded0b82f5839aaf42f1df8f0b0e7b429ccac7dc081f7f6cd04d4a1d9fbaa28a
                                                      • Opcode Fuzzy Hash: f5b69d6ecbaa94929cd7461135427c74e8dc1fa03a67990f8f66509c040ae657
                                                      • Instruction Fuzzy Hash: 9EC1DA70701605CFDB29EB76C410BAEB7FAAF89704F9444ADD24A8B2D5DB74E801CB52
                                                      Function 079A3404 Relevance: .2, Instructions: 191COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6e2c8d0ce3f8615c2602aa6ec6b0d35e6d6f94df1b9acc25ecc50ac394aa1c1
                                                      • Instruction ID: bea7dfe60f573a46386af54d56614c603b34f651c488923ca4019387583d2e79
                                                      • Opcode Fuzzy Hash: f6e2c8d0ce3f8615c2602aa6ec6b0d35e6d6f94df1b9acc25ecc50ac394aa1c1
                                                      • Instruction Fuzzy Hash: 60618BB5E0124A9FCF04DFA9D8449EEFBF6FF88310F10842AE815A7254DB709906CB90
                                                      Function 079A0006 Relevance: .2, Instructions: 165COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6190dc4badef5d855c10c474bbaa1173527f927d413d26146aa0e53c701ac127
                                                      • Instruction ID: c6348c09dda1059b1d4caca98d7b1fca21b66e77a834364cfa5a264e6c72b4c8
                                                      • Opcode Fuzzy Hash: 6190dc4badef5d855c10c474bbaa1173527f927d413d26146aa0e53c701ac127
                                                      • Instruction Fuzzy Hash: 2971F9B4E01218CFDB19CF69C995BDDBBB2BF89300F1481AAE408AB395D7356941CF50
                                                      Function 079A5020 Relevance: .1, Instructions: 140COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e2aacf1503273f8c5e1af25844726a99112d5dae050d1ed80516a3a75fc0b6d1
                                                      • Instruction ID: 6c8f7f22f93b2c73a869fa06a327a5baf0594e4582d5065f56730482063cb23f
                                                      • Opcode Fuzzy Hash: e2aacf1503273f8c5e1af25844726a99112d5dae050d1ed80516a3a75fc0b6d1
                                                      • Instruction Fuzzy Hash: 7851A3B5E016199FDB04CFEAD8446EEFBB2FF89300F10802AE919AB254DB745946CF50
                                                      Function 0721F3F8 Relevance: .1, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1b81a921fc0f1e5135652851979958dee69a1c83ef7103c8e46ca1b2454c07f
                                                      • Instruction ID: 9a6244b98ed9dc8b46d93fd972585010c3023e19eb8a7d09e8ded3301fa9d8e7
                                                      • Opcode Fuzzy Hash: f1b81a921fc0f1e5135652851979958dee69a1c83ef7103c8e46ca1b2454c07f
                                                      • Instruction Fuzzy Hash: AD410DB1E016198FEB58CF6AC94079EBBF2BF89300F14C1AAC45CA7255EB300A46CF51
                                                      Function 079A5012 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c473cf4785a92e4341cab3d189992304934708a9108b9487ba27113f070e36b0
                                                      • Instruction ID: 2bcedb8cac7ac98cd902ce2da4b1dde7c73d57874e8e14c73c0b36e5a8c73769
                                                      • Opcode Fuzzy Hash: c473cf4785a92e4341cab3d189992304934708a9108b9487ba27113f070e36b0
                                                      • Instruction Fuzzy Hash: 8641A7B5E016599FDB08CFEAC4456EEFBF2AF89300F14C06AD918AB254EB345945CF40
                                                      Function 015FD3C9 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 602 15fd3c9-15fd467 GetCurrentProcess 606 15fd469-15fd46f 602->606 607 15fd470-15fd4a4 GetCurrentThread 602->607 606->607 608 15fd4ad-15fd4e1 GetCurrentProcess 607->608 609 15fd4a6-15fd4ac 607->609 611 15fd4ea-15fd505 call 15fd5a8 608->611 612 15fd4e3-15fd4e9 608->612 609->608 614 15fd50b-15fd53a GetCurrentThreadId 611->614 612->611 616 15fd53c-15fd542 614->616 617 15fd543-15fd5a5 614->617 616->617
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 015FD456
                                                      • GetCurrentThread.KERNEL32 ref: 015FD493
                                                      • GetCurrentProcess.KERNEL32 ref: 015FD4D0
                                                      • GetCurrentThreadId.KERNEL32 ref: 015FD529
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: ae6a80705bacb5fead1d33f99b95e7a1291acb2f38aa73a09b5525f4f9dd560a
                                                      • Instruction ID: 0d1d1dbeb294c23f7d8b41fc51985c46f59a235e8fc8424eb9072aa89e58bc65
                                                      • Opcode Fuzzy Hash: ae6a80705bacb5fead1d33f99b95e7a1291acb2f38aa73a09b5525f4f9dd560a
                                                      • Instruction Fuzzy Hash: D45167B09003098FDB14DFA9D548BEEBFF1FF48314F248459E119AB2A0DB74A984CB65
                                                      Function 015FD3D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 624 15fd3d8-15fd467 GetCurrentProcess 628 15fd469-15fd46f 624->628 629 15fd470-15fd4a4 GetCurrentThread 624->629 628->629 630 15fd4ad-15fd4e1 GetCurrentProcess 629->630 631 15fd4a6-15fd4ac 629->631 633 15fd4ea-15fd505 call 15fd5a8 630->633 634 15fd4e3-15fd4e9 630->634 631->630 636 15fd50b-15fd53a GetCurrentThreadId 633->636 634->633 638 15fd53c-15fd542 636->638 639 15fd543-15fd5a5 636->639 638->639
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 015FD456
                                                      • GetCurrentThread.KERNEL32 ref: 015FD493
                                                      • GetCurrentProcess.KERNEL32 ref: 015FD4D0
                                                      • GetCurrentThreadId.KERNEL32 ref: 015FD529
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: a73cd95188fa3b159285c66221e097836fd4f077fd2a719756a3456901a4bc03
                                                      • Instruction ID: 672387522ccde359f9c8f45c16c98691b14840df04583c6589379cd1d5c9500c
                                                      • Opcode Fuzzy Hash: a73cd95188fa3b159285c66221e097836fd4f077fd2a719756a3456901a4bc03
                                                      • Instruction Fuzzy Hash: 285154B09002098FDB54DFAAD548BEEBBF1FB48314F208459E519AB260DB74A984CF65
                                                      Function 079AE9DD Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079AEC1E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 10c70e5433ce742df32de354362b62448a4c5a8704c4aed938a83c009cc83dd6
                                                      • Instruction ID: 71b351cb895a78a93c430b7091a7969bf6fb4086ceac5e00590b0d2e52807cd3
                                                      • Opcode Fuzzy Hash: 10c70e5433ce742df32de354362b62448a4c5a8704c4aed938a83c009cc83dd6
                                                      • Instruction Fuzzy Hash: DAA1ADB1D0131ADFDB10CF69C8467DDBBB6BF48314F1485A9E809A7290DB749980CF91
                                                      Function 079AE9E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079AEC1E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 5990755acff3f82245bf85b5d34566e44b29b6c4a1ceec568d0aec4bdc69d279
                                                      • Instruction ID: 58fad86b4df8c605bae5acfe5fadad4ec8412f304aefb4838e26f6e59d073011
                                                      • Opcode Fuzzy Hash: 5990755acff3f82245bf85b5d34566e44b29b6c4a1ceec568d0aec4bdc69d279
                                                      • Instruction Fuzzy Hash: 94918DB1D0121ADFDB10CF69C8467EDBBB6BF48314F1481A9E809A7290DB749985CF91
                                                      Function 015FAD48 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 015FAF9E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 1159a455dbad7251d075ff1e67427566de69f78144458c78320aff93aa7eef94
                                                      • Instruction ID: 078970044ba9864a8e9241aa4f38603c159fdfeeed4b510428721fb90f928333
                                                      • Opcode Fuzzy Hash: 1159a455dbad7251d075ff1e67427566de69f78144458c78320aff93aa7eef94
                                                      • Instruction Fuzzy Hash: BD712370A00B058FD725DF29D54475ABBF5FF88304F108A2DD68ADBA50DB35E849CB92
                                                      Function 015F590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 015F59C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 368572f9053432550ece1cd0036d6cf8259ca49e7818ddca25deb9eda50bb05b
                                                      • Instruction ID: e251f0590f7965c49e36e1500a151cddd5c86dfe28896dbf6e4dc99a1c13e640
                                                      • Opcode Fuzzy Hash: 368572f9053432550ece1cd0036d6cf8259ca49e7818ddca25deb9eda50bb05b
                                                      • Instruction Fuzzy Hash: 9A41F1B0C00219CBDB24DFA9C9847DDBBF5BF48304F24809AD508AB255DB755989CF90
                                                      Function 015F44F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 015F59C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 18e70e966de3736364c9bf37b174a2e71ae61cba02c72701b4033685d86006a2
                                                      • Instruction ID: 300b6d63c9a2f8cfa2d462746150ddc70e0f43555a85ee0f976662e942cef9b4
                                                      • Opcode Fuzzy Hash: 18e70e966de3736364c9bf37b174a2e71ae61cba02c72701b4033685d86006a2
                                                      • Instruction Fuzzy Hash: 8041F3B0C0071DCBDB24DFA9C984B9DBBF5BF49304F2480AAD508AB255EBB55945CF90
                                                      Function 079AE320 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079AE3B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 03a5d25bd315bafd3099a9dc23912e230da3f0cbd4ea1390d17abb3b006e9e05
                                                      • Instruction ID: f39e00717de339aec325cbd8831bb393a8dfa765aa071f6c009e39349734c77d
                                                      • Opcode Fuzzy Hash: 03a5d25bd315bafd3099a9dc23912e230da3f0cbd4ea1390d17abb3b006e9e05
                                                      • Instruction Fuzzy Hash: 8F2168B2900359DFCB10CFAAC885BEEBBF5FF48310F10842AE559A7250C7789544CBA4
                                                      Function 079AE328 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079AE3B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 7b17712889e763957b92cd632b43010156c69ff5b827e77b95e57fcca54fcd2e
                                                      • Instruction ID: bbee102091ce1f7e2ed79a983d394455eed6bc1d80605b5550fd39cfdc46dcc1
                                                      • Opcode Fuzzy Hash: 7b17712889e763957b92cd632b43010156c69ff5b827e77b95e57fcca54fcd2e
                                                      • Instruction Fuzzy Hash: C82127B19003599FCB10DFAAC985BDEBBF5FF48314F108429E959A7250C7789944CBA4
                                                      Function 079AE848 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079AE8D0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: c12837ec62c4255c70624aa9c0ade88d2ca4f4fe8a277d2278d1cd25c9bedf4e
                                                      • Instruction ID: 174093a0b5ad7c9a67e9468a1565741b33a1859d3b41f7fbc7ac74dbf2358d1c
                                                      • Opcode Fuzzy Hash: c12837ec62c4255c70624aa9c0ade88d2ca4f4fe8a277d2278d1cd25c9bedf4e
                                                      • Instruction Fuzzy Hash: 7B2136B2C003599FCB10DFAAC881ADEBBF5FF48324F10842AE559A7250C7349554CFA5
                                                      Function 079AE188 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079AE20E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 24767a050cd78fea6ff0b386235876357657b1f5e78a4550f25f60545b48c793
                                                      • Instruction ID: d995e7004c025ef3c1c56fec7d93c4894a427815035e2e1dae7698ead9d2f8f6
                                                      • Opcode Fuzzy Hash: 24767a050cd78fea6ff0b386235876357657b1f5e78a4550f25f60545b48c793
                                                      • Instruction Fuzzy Hash: 592137B19002499FDB10DFAAC485BEEBBF4EF88324F24C429D459A7241CB789945CFA4
                                                      Function 079AE190 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 079AE20E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: f36d695e01c613288ccf780d45fb0f07fcb3049df8f6eb14deb0ab91a9e64644
                                                      • Instruction ID: 006b6f00e34fab2875d257332fed1c1c2fb0a22f0de89661bccb6a3aba67df91
                                                      • Opcode Fuzzy Hash: f36d695e01c613288ccf780d45fb0f07fcb3049df8f6eb14deb0ab91a9e64644
                                                      • Instruction Fuzzy Hash: 122129B19003199FDB10DFAAC585BEEBBF4EF48324F148429D559A7240CB78A944CFA5
                                                      Function 079AE850 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079AE8D0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: ec1eb89898bdcf8ccb5b06faf6f41dcea360bef04595ac4f8c95e7d66f332798
                                                      • Instruction ID: 983f6c5647b23028b5827ad965ae8037e100e169312137323ff1f7acba12cb23
                                                      • Opcode Fuzzy Hash: ec1eb89898bdcf8ccb5b06faf6f41dcea360bef04595ac4f8c95e7d66f332798
                                                      • Instruction Fuzzy Hash: 162137B1D003599FCB10DFAAC881AEEFBF5FF48324F10842AE559A7250C7389944DBA4
                                                      Function 015FD619 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015FD6A7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 071f79f513dff7b4a46870400bb4aaf244f4a95b877da38623053f4fd2cf4741
                                                      • Instruction ID: 5646b60256ddfbd50a52007db7a8af0aa23863f6d4278597cd16455b18f1db02
                                                      • Opcode Fuzzy Hash: 071f79f513dff7b4a46870400bb4aaf244f4a95b877da38623053f4fd2cf4741
                                                      • Instruction Fuzzy Hash: 9921E3B59002189FDB10CF9AD584ADEBBF4FB48324F24841AE958B7210C378A940CF64
                                                      Function 015FD620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015FD6A7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: b584f79958e757367f51efd090c87da333cd8dd85ce8b21cb8fe5548d831e33a
                                                      • Instruction ID: f781790a64ee6b7b213c6acd3cfb0e120de353eac6dda24e622e2282e88d2db5
                                                      • Opcode Fuzzy Hash: b584f79958e757367f51efd090c87da333cd8dd85ce8b21cb8fe5548d831e33a
                                                      • Instruction Fuzzy Hash: AA21C4B59002589FDB10CF9AD584ADEBFF8FB48310F24845AE958A7350D374A944CFA5
                                                      Function 079AE260 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079AE2D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: b94015bb342f82095dad92a2d301b2fe55a3b6d915b89ef688f002ff6b26d964
                                                      • Instruction ID: eca6936c7dc86ea71935bc10d526d7b3671d3ebadb47331c72da754fe0847cab
                                                      • Opcode Fuzzy Hash: b94015bb342f82095dad92a2d301b2fe55a3b6d915b89ef688f002ff6b26d964
                                                      • Instruction Fuzzy Hash: 351159B1900249DFDB10DFAAC845AEEFFF5EF88324F248819E555A7250C7359544CFA0
                                                      Function 079AE268 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079AE2D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 4927dd590280423dfa86e859983589b7d5e000dd7d461d553fb0f86c171914be
                                                      • Instruction ID: b1c7618ae6978210bcca0fd4bab8a0815a63353e24b02534b71d83a950a026d1
                                                      • Opcode Fuzzy Hash: 4927dd590280423dfa86e859983589b7d5e000dd7d461d553fb0f86c171914be
                                                      • Instruction Fuzzy Hash: 711137B29002499FCB10DFAAC845BDEBFF9EF88324F208819E555A7250C775A544CFA4
                                                      Function 079A40B8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OutputDebugStringW.KERNELBASE(00000000), ref: 079A4128
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: DebugOutputString
                                                      • String ID:
                                                      • API String ID: 1166629820-0
                                                      • Opcode ID: d7d4ab0f27933d4bb2383f6fbcd226f7d605efa8c7298e97aee6336026ee7745
                                                      • Instruction ID: 8e8de9e5b9641610cb56a0409a889fcd9f5c7d91a9f3d6795c1bcb7f81e70f97
                                                      • Opcode Fuzzy Hash: d7d4ab0f27933d4bb2383f6fbcd226f7d605efa8c7298e97aee6336026ee7745
                                                      • Instruction Fuzzy Hash: B41132B1C0065A9BCB00CF9AD944B9EFBF8FB58324F20812AD818B3250C774A940CFA5
                                                      Function 079AE0D9 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 079AE142
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: ef1378c099ebd5b4011d19b9ed350436819c081252e0870b981340ca6aad30e3
                                                      • Instruction ID: 41e44e040451a4ecf3b91cf7ad1cbf37fecf62a78ec2fb44cd48f1a429ad430e
                                                      • Opcode Fuzzy Hash: ef1378c099ebd5b4011d19b9ed350436819c081252e0870b981340ca6aad30e3
                                                      • Instruction Fuzzy Hash: 671158B19002998FDB20DFAAC4457EEFBF4EF88324F248869D459A7250CB35A544CF94
                                                      Function 079A40B1 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OutputDebugStringW.KERNELBASE(00000000), ref: 079A4128
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: DebugOutputString
                                                      • String ID:
                                                      • API String ID: 1166629820-0
                                                      • Opcode ID: ff85e71f2edc98d74e3b75b187841fe940a4ee285b56d47080475a2ede4a995d
                                                      • Instruction ID: 739eccc7640fd339b23267914401d44d460f310f11d2d6bcb3125ee1da6f9cdb
                                                      • Opcode Fuzzy Hash: ff85e71f2edc98d74e3b75b187841fe940a4ee285b56d47080475a2ede4a995d
                                                      • Instruction Fuzzy Hash: 82114FB2C0025A9BCB04CF9AD945B9EFBB8FB58324F20812AD818B7210D374A540CFA5
                                                      Function 079AE0E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ResumeThread.KERNELBASE(?), ref: 079AE142
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: e5246d4f7cfddc99bdf8b47753cd5cc2b042a158c114f4f720a99244883bc41e
                                                      • Instruction ID: 29c426339b96645c076d8cf705f63dc2c79dd8542aad18b67062bb6cfb64f075
                                                      • Opcode Fuzzy Hash: e5246d4f7cfddc99bdf8b47753cd5cc2b042a158c114f4f720a99244883bc41e
                                                      • Instruction Fuzzy Hash: E61166B19003588FCB20DFAAC4457DEFBF8EB88324F208829D559A7250CB34A944CFA4
                                                      Function 015FAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 015FAF9E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: f5440d25201a1426cb12e5c1a66613b7c3e89a23fa795194c82c06de0d45a1bf
                                                      • Instruction ID: a7679ab0599b94674c084e290c5cfbc5bbd187bfd09e477c00de7c4e44d508c2
                                                      • Opcode Fuzzy Hash: f5440d25201a1426cb12e5c1a66613b7c3e89a23fa795194c82c06de0d45a1bf
                                                      • Instruction Fuzzy Hash: 5D1110B6C002498FDB10CF9AC444ADEFBF4BB88324F10846AD929AB250C379A545CFA5
                                                      Function 0F701171 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,?,?,?), ref: 0F7011D5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1717632405.000000000F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F700000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f700000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: ac0b5303e876ed4694157d8a2fcf09dabc65f063cc265655539496bd979bf9dc
                                                      • Instruction ID: b1c1d8a769aa177fafa1d8e64764f2d032c6d7cba5b868c99378a0188384fb45
                                                      • Opcode Fuzzy Hash: ac0b5303e876ed4694157d8a2fcf09dabc65f063cc265655539496bd979bf9dc
                                                      • Instruction Fuzzy Hash: E111F5B6900248DFCB10DF9AD445BDEBFF8EB48324F108459E558A7241C375A544CFA5
                                                      Function 0F701178 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,?,?,?), ref: 0F7011D5
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1717632405.000000000F700000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F700000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f700000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 05e38854046fc19ee521c4efc23630b2b20c19d59aee00c9f1c02b7947ee44cb
                                                      • Instruction ID: 34b18342f7053c547ff1d8798da742584cfd8bea2be702351c456bf3d6022d3c
                                                      • Opcode Fuzzy Hash: 05e38854046fc19ee521c4efc23630b2b20c19d59aee00c9f1c02b7947ee44cb
                                                      • Instruction Fuzzy Hash: A51103B5800348DFCB10DF9AD845BDEBBF8EB48324F208459E558A7240C375A944CFA5
                                                      Function 0135D3D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1706781963.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_135d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63c780536816bc41141da11d278a1818f180b8ba97a85ca5758953ca56c6c730
                                                      • Instruction ID: cd2d6142a2312f70337e7fd9903361fbc13a51d92062228ea1789091cef3b67e
                                                      • Opcode Fuzzy Hash: 63c780536816bc41141da11d278a1818f180b8ba97a85ca5758953ca56c6c730
                                                      • Instruction Fuzzy Hash: 422145B1100204DFDB05DF48D9C0F66BF69FB88728F20C169ED0A1F256C73AE446CAA2
                                                      Function 0136D1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1706828405.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_136d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e60aaac98bc05f1c4c2646aa585b22e54bdc936f3ba1a6a0bcc7965b9c741ea
                                                      • Instruction ID: da978cb5a687dc81b0a90118410b493fde5a475328e1c12a1d8d792692a74d65
                                                      • Opcode Fuzzy Hash: 1e60aaac98bc05f1c4c2646aa585b22e54bdc936f3ba1a6a0bcc7965b9c741ea
                                                      • Instruction Fuzzy Hash: F9214971604204DFDB01DF98D5C0B26BBA9FB84328F24C56DD8894B35AC376D446CA61
                                                      Function 0136D01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1706828405.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_136d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab44fe2c28a2211e9bb0077d1d60150dcc8e48cd1b21f9143a624fdb1720ed54
                                                      • Instruction ID: a1c59ffb96c9b1cc01344cbb5ac3649d9b57e289a5145608920634a287bdf2d9
                                                      • Opcode Fuzzy Hash: ab44fe2c28a2211e9bb0077d1d60150dcc8e48cd1b21f9143a624fdb1720ed54
                                                      • Instruction Fuzzy Hash: 46212271604204DFCB15DF58D984B26BFA9FB88318F20C56DE88A4B25AC33BD447CAA1
                                                      Function 0135D3D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1706781963.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_135d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction ID: 1dcfb9f5729b20969fb1ea3f1911263b4be37f0c1e20086751f3fa9d6f8b5a18
                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                      • Instruction Fuzzy Hash: 8E11DFB2404240CFDB06CF44D5C4B56BF72FB94328F24C2A9DD090B256C33AE45ACBA1
                                                      Function 0136D017 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1706828405.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_136d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: 22fdd415041c999ff4073b269bc957c6c2b1eba0636b8b5d13b1634b6085226f
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 2D118E75604280DFDB16CF54D5C4B15BF71FB84318F24C6AAD8494B65AC33AD44ACB61
                                                      Function 0136D1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1706828405.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_136d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: 9c0f1c3b6504844234759444ca9969704fd856f00bfd715c5c213d26a92da93b
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 32118B75604280DFDB16CF54D5C4B15BFB1FB84228F28C6AAD8894B69AC33AD44ACB61

                                                      Non-executed Functions

                                                      Function 07216578 Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2$U$c
                                                      • API String ID: 0-2109151629
                                                      • Opcode ID: 28bbb2cac7ef02e26aa280203a37c8e6d1af69b24e932d57c3593dc8f4355566
                                                      • Instruction ID: 07938af2da4c912c24f17df0946d9f57f99e356076d7f162fdfea8599533afd8
                                                      • Opcode Fuzzy Hash: 28bbb2cac7ef02e26aa280203a37c8e6d1af69b24e932d57c3593dc8f4355566
                                                      • Instruction Fuzzy Hash: 6F71F9B1E115099FDB04DFAAC580AAEFBF2FF98300F28D169D414A7245D734AA81CF94
                                                      Function 07216310 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1713075970.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7210000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: {
                                                      • API String ID: 0-366298937
                                                      • Opcode ID: 4fda9a63cd7811d3e28d85235b312d555534cb5a1cb33e0b58352352a30e7f3a
                                                      • Instruction ID: 09943e07189a9b820429642cbc97b282583c79eef6c1da6ac8732db42e0bca0b
                                                      • Opcode Fuzzy Hash: 4fda9a63cd7811d3e28d85235b312d555534cb5a1cb33e0b58352352a30e7f3a
                                                      • Instruction Fuzzy Hash: 835127B1E1060A9BDB14CFAAC8806EEFBF6BF98300F18D165D514E7255DB349A81CB94
                                                      Function 079A2578 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50fc27035bb166d8736096acf73d9567ef47818bed90024b5d2a896bcd4baaf5
                                                      • Instruction ID: 02ccc19734b59052d581a8db438aca163c3fd9d7ac97f50e466b3df3bf58d693
                                                      • Opcode Fuzzy Hash: 50fc27035bb166d8736096acf73d9567ef47818bed90024b5d2a896bcd4baaf5
                                                      • Instruction Fuzzy Hash: 3BE1D7B4E051199FCB14DFA9C5809AEFBB2FF89304F248169E414AB356DB34AD41CFA1
                                                      Function 079AC4F0 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6c387285e149101779de2b6500fb421e16e3e71ff7fbca79526c43c1a945ef6
                                                      • Instruction ID: 15a19861fc65bbf18f38215638eba973c668d1ec57906452967e1fd6486181a5
                                                      • Opcode Fuzzy Hash: d6c387285e149101779de2b6500fb421e16e3e71ff7fbca79526c43c1a945ef6
                                                      • Instruction Fuzzy Hash: F6E1E7B4E015199FCB14CFA9C5809AEBBF2FF89304F248169E814AB356D734AD41CFA1
                                                      Function 079AE418 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8a66dace272a589f57c92c838504d4dd2c946b5fc11b7188e433bef6daf0b6b
                                                      • Instruction ID: bda117fae43d33e1e5ea9cea86705f28e46a8a98f75b015832d827ce5ea9e3c8
                                                      • Opcode Fuzzy Hash: d8a66dace272a589f57c92c838504d4dd2c946b5fc11b7188e433bef6daf0b6b
                                                      • Instruction Fuzzy Hash: 26E1E7B4E011199FCB14CFA9C5819AEBBF2FF89304F248169E814AB356D734AD41CFA1
                                                      Function 079A20B8 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 470d33b260e5bd40cf8a3fe835d7f948226d2e4823d033a9f8f28f67c775e4e1
                                                      • Instruction ID: 26c3356fe34495b7d47a13bf0080616457b2cff98004ad792026223d6ff0feab
                                                      • Opcode Fuzzy Hash: 470d33b260e5bd40cf8a3fe835d7f948226d2e4823d033a9f8f28f67c775e4e1
                                                      • Instruction Fuzzy Hash: 8EE1C8B4E011199FCB14DFA9C5809AEBBF2FF89304F248169E814AB355D734AD41CFA1
                                                      Function 079AC0B8 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d981f2cb74ab5ad52fd73238496c3f988b368e078111910cb8abee6354ae21a3
                                                      • Instruction ID: 43a0824ac24d837dd126f39869f2f7c84d24ccfdedded0967253c9937ca93fa0
                                                      • Opcode Fuzzy Hash: d981f2cb74ab5ad52fd73238496c3f988b368e078111910cb8abee6354ae21a3
                                                      • Instruction Fuzzy Hash: 6BE1D9B4E011199FCB14DFA9C5809AEBBF2FF89305F248169D814AB356DB34AD41CFA1
                                                      Function 079A2E28 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c986b20ac3692b2b86980ab42963cf3d6215672ca43352c1f2e61bf36229e78c
                                                      • Instruction ID: 19e708c76bbd34cb9f2da1b5b5fb5d0193b6234f3d9277a734d6c9d8be7322c7
                                                      • Opcode Fuzzy Hash: c986b20ac3692b2b86980ab42963cf3d6215672ca43352c1f2e61bf36229e78c
                                                      • Instruction Fuzzy Hash: E9E1C8B4E0111A9FCB14CFA9C5809AEFBB2FF89304F24C169E814AB355D735A941CFA0
                                                      Function 079ABC80 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5268260552b55eac431fad1dcbd41ead57f58974323147a95a0978a943802698
                                                      • Instruction ID: 97441eb0f02ea7e035cb56b906b36d015bbc962aa979ee4c07e8ec6c2b3b23ed
                                                      • Opcode Fuzzy Hash: 5268260552b55eac431fad1dcbd41ead57f58974323147a95a0978a943802698
                                                      • Instruction Fuzzy Hash: 54E1D7B4E011199FCB14DFA9C5809AEFBF2FF89304F248169E814AB356D735A941CFA1
                                                      Function 079A1C80 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0da212cabe0fc1a9523dc0cf020412b62b2cc62f00d4da340c0d2453577dafd7
                                                      • Instruction ID: 8c17657d580228a4ef6701f54cfbdd89ccdf99bd7cdc331cbe019e485f11bbb7
                                                      • Opcode Fuzzy Hash: 0da212cabe0fc1a9523dc0cf020412b62b2cc62f00d4da340c0d2453577dafd7
                                                      • Instruction Fuzzy Hash: 36E1E6B4E0111A9FCB14CFA9C5809AEFBB2FF89304F248169E415AB356D735AD41CFA0
                                                      Function 079AB848 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3c46476d2b4867432fca06c68695c36842fedb0cbb1359d7016d57156f8c466
                                                      • Instruction ID: c6154aa99e3d98fabfabe95d9f12c2977c92fdca44fa9d17c360019a0bb3d5b7
                                                      • Opcode Fuzzy Hash: d3c46476d2b4867432fca06c68695c36842fedb0cbb1359d7016d57156f8c466
                                                      • Instruction Fuzzy Hash: 10E1D9B4E012199FCB14CFA9C5809AEBBF2FF89304F248169D815AB355D735AD41CFA1
                                                      Function 015FD304 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1707329637.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15f0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da1a0d4082b48946e4da31beeeae88701e6de677e2dacc31ec41f8a93300b1c3
                                                      • Instruction ID: 2da76fa9fd7537fa9765c3b06cad7317cf456291dda89387a948a99bf10e271d
                                                      • Opcode Fuzzy Hash: da1a0d4082b48946e4da31beeeae88701e6de677e2dacc31ec41f8a93300b1c3
                                                      • Instruction Fuzzy Hash: A5A16E36E006068FCF15DFB4C88499EBBB6FF84300B15456EEA06AF265DB71E916CB40
                                                      Function 079A52B0 Relevance: .2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b6ebf9381b3c0e6097aaa6e817b8b54f925fe5f381f208f3b3397df33cb51dd
                                                      • Instruction ID: d03309cb6d3d6df9d5811c0a7e3d063da562a783b283705ed9934e1ff01601ed
                                                      • Opcode Fuzzy Hash: 0b6ebf9381b3c0e6097aaa6e817b8b54f925fe5f381f208f3b3397df33cb51dd
                                                      • Instruction Fuzzy Hash: B07192B4E012199FCB04DFAAC58499EFBF2BF88301F15D169E818AB315DB34A942CF50
                                                      Function 079AB822 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5a9c0f6a0afa7962599da91707d2277601961a395721a0a9258480c6a3f9aad7
                                                      • Instruction ID: 1e1ebc3afacdbabed21f491ec52dc335a93f523aff719c567fd0c7f32e52a438
                                                      • Opcode Fuzzy Hash: 5a9c0f6a0afa7962599da91707d2277601961a395721a0a9258480c6a3f9aad7
                                                      • Instruction Fuzzy Hash: E6512CB4E052198FCB14CFA9C5409AEBBF2FF89308F14C1AAD418AB356D7349941CFA1
                                                      Function 079AC4E1 Relevance: .1, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee5e0c898303c869bc846882b4f614933f12bac9b998690d4a213298af948dd4
                                                      • Instruction ID: a4935244c8c76252b561a4961ebbd7bcc6746cc45285ad5faeb0af9f935cd356
                                                      • Opcode Fuzzy Hash: ee5e0c898303c869bc846882b4f614933f12bac9b998690d4a213298af948dd4
                                                      • Instruction Fuzzy Hash: F251FBB4E0161A8FCB15CFA9C5405AEBBF2EF89304F14C1A9D418AB256D7349D41CFA1
                                                      Function 079AE409 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6219f372470237cce91f17e256f3a2a04c3faff025fb93bfd512c399dadd37b
                                                      • Instruction ID: cd514ac44de9de43879bfbc0cba5d5e4d9043c12948c740a76b5aa2290dc354e
                                                      • Opcode Fuzzy Hash: e6219f372470237cce91f17e256f3a2a04c3faff025fb93bfd512c399dadd37b
                                                      • Instruction Fuzzy Hash: E2512AB4E0121A8FCB14CFA9D5815AEFBF2FF89304F24C1A9D418AB256D7349941CFA1
                                                      Function 079A52A2 Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 59a8f42215bc0236c2e5b784cb07cee44ee642f0c117271d71645d6377554f37
                                                      • Instruction ID: aebcbc814e2c3f1540e048cc357faefc978e4cbe3c76a529b64f1b54463fe7b2
                                                      • Opcode Fuzzy Hash: 59a8f42215bc0236c2e5b784cb07cee44ee642f0c117271d71645d6377554f37
                                                      • Instruction Fuzzy Hash: 095193B5E016598FDB08CFAAD98469EFBF2BF88301F14C06AD818AB355DB705946CF40
                                                      Function 079A1C70 Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1714682053.00000000079A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 079A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_79a0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7d041e4bbdef6e01d377e479cccc01b560b439115b951addb3b3c94607a2617a
                                                      • Instruction ID: 9ecb2b12e5c038d35b0dbe19d9bb688ffa7d9bc15ea5f9ffb31b92fbe79325a5
                                                      • Opcode Fuzzy Hash: 7d041e4bbdef6e01d377e479cccc01b560b439115b951addb3b3c94607a2617a
                                                      • Instruction Fuzzy Hash: 6E51EBB4E052198FCB14CFA9C5805AEFBB6FF89304F24C1AAD418AB356D7359941CFA1

                                                      Execution Graph

                                                      Execution Coverage:11.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:19
                                                      Total number of Limit Nodes:4
                                                      execution_graph 26292 da0848 26294 da084e 26292->26294 26293 da091b 26294->26293 26296 da1382 26294->26296 26299 da138a 26296->26299 26297 da1488 26297->26294 26299->26297 26300 da7eb8 26299->26300 26301 da7ec2 26300->26301 26302 da7edc 26301->26302 26305 655fad2 26301->26305 26310 655fae0 26301->26310 26302->26299 26306 655faf5 26305->26306 26307 655fd06 26306->26307 26308 655fd20 GlobalMemoryStatusEx 26306->26308 26309 655fd30 GlobalMemoryStatusEx 26306->26309 26307->26302 26308->26306 26309->26306 26311 655faf5 26310->26311 26312 655fd06 26311->26312 26313 655fd30 GlobalMemoryStatusEx 26311->26313 26314 655fd20 GlobalMemoryStatusEx 26311->26314 26312->26302 26313->26311 26314->26311

                                                      Executed Functions

                                                      Function 06552420 Relevance: 9.0, Strings: 6, Instructions: 1484COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1342094364
                                                      • Opcode ID: 0f846622fef2055e6197b21f23faa45a0542d823e89931b06e0d56a56ec3e55c
                                                      • Instruction ID: ab336fe83312e7f7664f18295ce65adcc771c42798de7be87cd5ed66dff3588e
                                                      • Opcode Fuzzy Hash: 0f846622fef2055e6197b21f23faa45a0542d823e89931b06e0d56a56ec3e55c
                                                      • Instruction Fuzzy Hash: 1AD23930E102058FCB64DF64C598A9DB7F2FF85310F5589AAD809AB265EB34ED85CF90
                                                      Function 0655B2C8 Relevance: 8.3, Strings: 6, Instructions: 765COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1342094364
                                                      • Opcode ID: 6c90ab0860c665d5dd8bebabfe6823660259eb35baad5288109ffcf6013ad099
                                                      • Instruction ID: 964d7d5a78c59d7a4aba3ab2e8272ffbbda9a87cdee40dd5e74914d552b77de0
                                                      • Opcode Fuzzy Hash: 6c90ab0860c665d5dd8bebabfe6823660259eb35baad5288109ffcf6013ad099
                                                      • Instruction Fuzzy Hash: 3B528130E102098FDF64DB58D5B87AEB7B6FB85310F218826E805EB395DA34DC85CB91
                                                      Function 06557E08 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1749 6557e08-6557e26 1750 6557e28-6557e2b 1749->1750 1751 6557e2d-6557e47 1750->1751 1752 6557e4c-6557e4f 1750->1752 1751->1752 1753 6557e51-6557e6d 1752->1753 1754 6557e72-6557e75 1752->1754 1753->1754 1756 6557e77-6557e81 1754->1756 1757 6557e82-6557e85 1754->1757 1758 6557e87-6557e95 1757->1758 1759 6557e9c-6557e9e 1757->1759 1765 6557eae-6557ec4 1758->1765 1767 6557e97 1758->1767 1761 6557ea5-6557ea8 1759->1761 1762 6557ea0 1759->1762 1761->1750 1761->1765 1762->1761 1769 65580df-65580e9 1765->1769 1770 6557eca-6557ed3 1765->1770 1767->1759 1771 6557ed9-6557ef6 1770->1771 1772 65580ea-655811f 1770->1772 1779 65580cc-65580d9 1771->1779 1780 6557efc-6557f24 1771->1780 1775 6558121-6558124 1772->1775 1776 65581d1-65581d4 1775->1776 1777 655812a-6558136 1775->1777 1781 65581f7-65581fa 1776->1781 1782 65581d6-65581f2 1776->1782 1785 6558141-6558143 1777->1785 1779->1769 1779->1770 1780->1779 1803 6557f2a-6557f33 1780->1803 1783 6558200-655820f 1781->1783 1784 655842f-6558431 1781->1784 1782->1781 1798 6558211-655822c 1783->1798 1799 655822e-6558272 1783->1799 1786 6558433 1784->1786 1787 6558438-655843b 1784->1787 1789 6558145-655814b 1785->1789 1790 655815b-655815f 1785->1790 1786->1787 1787->1775 1793 6558441-655844a 1787->1793 1794 655814d 1789->1794 1795 655814f-6558151 1789->1795 1796 6558161-655816b 1790->1796 1797 655816d 1790->1797 1794->1790 1795->1790 1801 6558172-6558174 1796->1801 1797->1801 1798->1799 1810 6558403-6558419 1799->1810 1811 6558278-6558289 1799->1811 1804 6558176-6558179 1801->1804 1805 655818b-65581c4 1801->1805 1803->1772 1807 6557f39-6557f55 1803->1807 1804->1793 1805->1783 1829 65581c6-65581d0 1805->1829 1816 6557f5b-6557f85 1807->1816 1817 65580ba-65580c6 1807->1817 1810->1784 1820 655828f-65582ac 1811->1820 1821 65583ee-65583fd 1811->1821 1832 65580b0-65580b5 1816->1832 1833 6557f8b-6557fb3 1816->1833 1817->1779 1817->1803 1820->1821 1830 65582b2-65583a8 call 6556628 1820->1830 1821->1810 1821->1811 1882 65583b6 1830->1882 1883 65583aa-65583b4 1830->1883 1832->1817 1833->1832 1839 6557fb9-6557fe7 1833->1839 1839->1832 1845 6557fed-6557ff6 1839->1845 1845->1832 1846 6557ffc-655802e 1845->1846 1854 6558030-6558034 1846->1854 1855 6558039-6558055 1846->1855 1854->1832 1856 6558036 1854->1856 1855->1817 1857 6558057-65580ae call 6556628 1855->1857 1856->1855 1857->1817 1884 65583bb-65583bd 1882->1884 1883->1884 1884->1821 1885 65583bf-65583c4 1884->1885 1886 65583c6-65583d0 1885->1886 1887 65583d2 1885->1887 1888 65583d7-65583d9 1886->1888 1887->1888 1888->1821 1889 65583db-65583e7 1888->1889 1889->1821
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq
                                                      • API String ID: 0-3550614674
                                                      • Opcode ID: 1170bf221899db732d0a0f94fed6a7de351f739ddbe45829a5d72de0c4e832bc
                                                      • Instruction ID: 2679c71d662c1a75ea1e2e350165ad8e0bbfbdcd1302b0a004d476cf4964b8b8
                                                      • Opcode Fuzzy Hash: 1170bf221899db732d0a0f94fed6a7de351f739ddbe45829a5d72de0c4e832bc
                                                      • Instruction Fuzzy Hash: 1402CF30B002158FDB54DF65D9A866EB7E2FF84300F15856AE805DB3A9DB35EC86CB90
                                                      Function 06555630 Relevance: 1.8, Strings: 1, Instructions: 597COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2335 6555630-655564d 2336 655564f-6555652 2335->2336 2337 6555654-655566a 2336->2337 2338 655566f-6555672 2336->2338 2337->2338 2339 6555674-6555678 2338->2339 2340 6555683-6555686 2338->2340 2342 65557f5-6555802 2339->2342 2343 655567e 2339->2343 2344 655569d-65556a0 2340->2344 2345 6555688-6555698 2340->2345 2343->2340 2346 65556a2-65556a7 2344->2346 2347 65556aa-65556ad 2344->2347 2345->2344 2346->2347 2349 65557b7-65557bd 2347->2349 2350 65556b3-65556b6 2347->2350 2353 6555780-6555786 2349->2353 2354 65557bf 2349->2354 2351 65556c9-65556cc 2350->2351 2352 65556b8-65556be 2350->2352 2357 65556e4-65556e7 2351->2357 2358 65556ce-65556df 2351->2358 2355 6555775-6555776 2352->2355 2356 65556c4 2352->2356 2360 6555803-6555833 2353->2360 2361 6555788-6555793 2353->2361 2359 65557c4-65557c7 2354->2359 2367 655577b-655577e 2355->2367 2356->2351 2363 65556ef-65556f2 2357->2363 2364 65556e9-65556ea 2357->2364 2358->2357 2365 65557e3-65557e5 2359->2365 2366 65557c9-65557de 2359->2366 2381 655583d-6555840 2360->2381 2361->2360 2362 6555795-65557a2 2361->2362 2362->2360 2369 65557a4-65557a8 2362->2369 2371 65556f4-65556f6 2363->2371 2372 65556f9-65556fc 2363->2372 2364->2363 2373 65557e7 2365->2373 2374 65557ec-65557ef 2365->2374 2366->2365 2367->2353 2375 65557ad-65557b0 2367->2375 2369->2375 2371->2372 2379 65556fe-6555704 2372->2379 2380 6555709-655570c 2372->2380 2373->2374 2374->2336 2374->2342 2376 6555766-6555769 2375->2376 2377 65557b2-65557b5 2375->2377 2382 655570e-655571c 2376->2382 2383 655576b 2376->2383 2377->2349 2377->2359 2379->2380 2380->2382 2384 655572b-655572e 2380->2384 2387 6555854-6555857 2381->2387 2388 6555842-6555849 2381->2388 2396 6555723-6555726 2382->2396 2389 6555770-6555773 2383->2389 2385 6555730-6555739 2384->2385 2386 655573a-655573d 2384->2386 2390 6555761-6555764 2386->2390 2391 655573f-655575c 2386->2391 2394 6555879-655587c 2387->2394 2395 6555859-655585d 2387->2395 2392 655584f 2388->2392 2393 655591e-6555925 2388->2393 2389->2355 2389->2367 2390->2376 2390->2389 2391->2390 2392->2387 2399 6555894-6555897 2394->2399 2400 655587e-655588f 2394->2400 2397 6555926-6555964 2395->2397 2398 6555863-655586b 2395->2398 2396->2384 2413 6555966-6555969 2397->2413 2398->2397 2402 6555871-6555874 2398->2402 2403 6555899-65558a3 2399->2403 2404 65558a8-65558ab 2399->2404 2400->2399 2402->2394 2403->2404 2405 65558c5-65558c8 2404->2405 2406 65558ad-65558b1 2404->2406 2411 65558e2-65558e5 2405->2411 2412 65558ca-65558ce 2405->2412 2406->2397 2410 65558b3-65558bb 2406->2410 2410->2397 2415 65558bd-65558c0 2410->2415 2419 65558e7-65558ee 2411->2419 2420 65558ef-65558f2 2411->2420 2412->2397 2416 65558d0-65558d8 2412->2416 2417 6555973-6555976 2413->2417 2418 655596b-6555970 2413->2418 2415->2405 2416->2397 2421 65558da-65558dd 2416->2421 2422 655597c-655597f 2417->2422 2423 6555a19-6555bad 2417->2423 2418->2417 2424 65558f4-65558f8 2420->2424 2425 655590c-655590e 2420->2425 2421->2411 2428 6555997-655599a 2422->2428 2429 6555981-6555994 2422->2429 2484 6555ce3-6555cf6 2423->2484 2485 6555bb3-6555bba 2423->2485 2424->2397 2430 65558fa-6555902 2424->2430 2426 6555915-6555918 2425->2426 2427 6555910 2425->2427 2426->2381 2426->2393 2427->2426 2432 655599c-65559a3 2428->2432 2433 65559a8-65559ab 2428->2433 2430->2397 2434 6555904-6555907 2430->2434 2432->2433 2435 65559c5-65559c8 2433->2435 2436 65559ad-65559be 2433->2436 2434->2425 2438 65559e2-65559e5 2435->2438 2439 65559ca-65559db 2435->2439 2444 65559c0 2436->2444 2445 65559f8-6555a09 2436->2445 2442 65559e7-65559ee 2438->2442 2443 65559f3-65559f6 2438->2443 2439->2432 2450 65559dd 2439->2450 2442->2443 2443->2445 2448 6555a10-6555a13 2443->2448 2444->2435 2445->2432 2456 6555a0b 2445->2456 2448->2423 2449 6555cf9-6555cfc 2448->2449 2452 6555cfe-6555d0f 2449->2452 2453 6555d1a-6555d1d 2449->2453 2450->2438 2452->2429 2461 6555d15 2452->2461 2453->2423 2455 6555d23-6555d26 2453->2455 2458 6555d44-6555d46 2455->2458 2459 6555d28-6555d39 2455->2459 2456->2448 2462 6555d4d-6555d50 2458->2462 2463 6555d48 2458->2463 2459->2432 2467 6555d3f 2459->2467 2461->2453 2462->2413 2465 6555d56-6555d5f 2462->2465 2463->2462 2467->2458 2486 6555bc0-6555bf3 2485->2486 2487 6555c6e-6555c75 2485->2487 2498 6555bf5 2486->2498 2499 6555bf8-6555c39 2486->2499 2487->2484 2488 6555c77-6555caa 2487->2488 2500 6555cac 2488->2500 2501 6555caf-6555cdc 2488->2501 2498->2499 2509 6555c51-6555c58 2499->2509 2510 6555c3b-6555c4c 2499->2510 2500->2501 2501->2465 2512 6555c60-6555c62 2509->2512 2510->2465 2512->2465
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $
                                                      • API String ID: 0-3993045852
                                                      • Opcode ID: c9b7bc7d47eaa5818a6becbd038e7a26f118367af4860387b6f5b44a1bc49660
                                                      • Instruction ID: 71cd6b52672e3ad35723b7c2a94608433f55bd4a2036924f5b58845d7a47cada
                                                      • Opcode Fuzzy Hash: c9b7bc7d47eaa5818a6becbd038e7a26f118367af4860387b6f5b44a1bc49660
                                                      • Instruction Fuzzy Hash: 7A22D571E102058FDF60DBA4C5946AEBBF2FF84320F25846AD805AB355EB35ED41CB91
                                                      Function 06556678 Relevance: .8, Instructions: 815COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4eb35b9935d9ba20c0dedf1785637ea1ba19c16d94f8fd2585228b829edfa61
                                                      • Instruction ID: d3f3c8149b8249b35fdc53d053dfdd54204fd08f05e77df438750b553936f067
                                                      • Opcode Fuzzy Hash: b4eb35b9935d9ba20c0dedf1785637ea1ba19c16d94f8fd2585228b829edfa61
                                                      • Instruction Fuzzy Hash: 8A629E34E002058FDB64DB68D568AADB7F2FF88310F55846AE806DB3A5DB35EC45CB90
                                                      Function 0655C220 Relevance: .6, Instructions: 637COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 237aa44f377a0528774a5a3215e2bb3a431e7c151e42a9744a574e2cebf97c98
                                                      • Instruction ID: 60a9cceda77d6d05bbb5fee7c2a5192a3ac5095e0f73b9e9426b0577b9507b69
                                                      • Opcode Fuzzy Hash: 237aa44f377a0528774a5a3215e2bb3a431e7c151e42a9744a574e2cebf97c98
                                                      • Instruction Fuzzy Hash: FD328034B102098FDB54DF68D994BAEB7B2FB88310F15852AE806EB355DB35EC45CB90
                                                      Function 0655AD60 Relevance: 10.4, Strings: 8, Instructions: 394COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 655ad60-655ad7e 1 655ad80-655ad83 0->1 2 655ad85-655ad92 1->2 3 655ad97-655ad9a 1->3 2->3 4 655ad9c-655ada0 3->4 5 655adab-655adae 3->5 7 655ada6 4->7 8 655af8c-655af96 4->8 9 655adb1-655adb7 5->9 10 655af7d-655af86 5->10 7->5 12 655adb9-655add5 9->12 13 655adda-655addd 9->13 10->8 11 655adf2-655adfb 10->11 16 655af97-655afa9 11->16 17 655ae01-655ae05 11->17 12->13 14 655aded-655adf0 13->14 15 655addf-655ade8 13->15 14->11 18 655ae0a-655ae0d 14->18 15->14 26 655b009-655b023 16->26 27 655afab-655afce 16->27 17->18 20 655ae27-655ae2a 18->20 21 655ae0f-655ae22 18->21 24 655ae34-655ae36 20->24 25 655ae2c-655ae31 20->25 21->20 29 655ae3d-655ae40 24->29 30 655ae38 24->30 25->24 47 655b028-655b02b 26->47 31 655afd0-655afd3 27->31 29->1 35 655ae46-655ae6a 29->35 30->29 33 655afd5-655afd9 31->33 34 655afe0-655afe3 31->34 38 655b031-655b06c 33->38 39 655afdb 33->39 36 655afe5 34->36 37 655aff2-655aff5 34->37 53 655ae70-655ae7f 35->53 54 655af7a 35->54 126 655afe5 call 655b2c8 36->126 127 655afe5 call 655b2ba 36->127 41 655aff7-655b001 37->41 42 655b002-655b005 37->42 48 655b072-655b07e 38->48 49 655b25f-655b272 38->49 39->34 46 655b007 42->46 42->47 45 655afeb-655afed 45->37 46->26 47->38 51 655b294-655b296 47->51 59 655b080-655b099 48->59 60 655b09e-655b0e2 48->60 52 655b274 49->52 55 655b29d-655b2a0 51->55 56 655b298 51->56 61 655b275 52->61 63 655ae97-655aed2 call 6556628 53->63 64 655ae81-655ae87 53->64 54->10 55->31 57 655b2a6-655b2b0 55->57 56->55 59->52 77 655b0e4-655b0f6 60->77 78 655b0fe-655b13d 60->78 61->61 80 655aed4-655aeda 63->80 81 655aeea-655af01 63->81 66 655ae89 64->66 67 655ae8b-655ae8d 64->67 66->63 67->63 77->78 87 655b224-655b239 78->87 88 655b143-655b21e call 6556628 78->88 83 655aedc 80->83 84 655aede-655aee0 80->84 93 655af03-655af09 81->93 94 655af19-655af2a 81->94 83->81 84->81 87->49 88->87 96 655af0d-655af0f 93->96 97 655af0b 93->97 100 655af42-655af73 94->100 101 655af2c-655af32 94->101 96->94 97->94 100->54 103 655af34 101->103 104 655af36-655af38 101->104 103->100 104->100 126->45 127->45
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1078448309
                                                      • Opcode ID: a50fa766fc0837ead692067eaf036d7818b6e26cfaaf887ebf3338527b0fab3f
                                                      • Instruction ID: bb7c7eb455c42dfbad73a00a461d82913a6e864630c6ab91c8c22d0e45085562
                                                      • Opcode Fuzzy Hash: a50fa766fc0837ead692067eaf036d7818b6e26cfaaf887ebf3338527b0fab3f
                                                      • Instruction Fuzzy Hash: 8DE17130E1020A8FCF65DF69D9686AEB7F2FF85300F118A2AD815AB355DB35D845CB90
                                                      Function 065591D8 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 857 65591d8-65591fd 858 65591ff-6559202 857->858 859 6559ac0-6559ac3 858->859 860 6559208-655921d 858->860 861 6559ac5-6559ae4 859->861 862 6559ae9-6559aeb 859->862 867 6559235-655924b 860->867 868 655921f-6559225 860->868 861->862 863 6559af2-6559af5 862->863 864 6559aed 862->864 863->858 869 6559afb-6559b05 863->869 864->863 874 6559256-6559258 867->874 870 6559227 868->870 871 6559229-655922b 868->871 870->867 871->867 875 6559270-65592e1 874->875 876 655925a-6559260 874->876 887 65592e3-6559306 875->887 888 655930d-6559329 875->888 877 6559264-6559266 876->877 878 6559262 876->878 877->875 878->875 887->888 893 6559355-6559370 888->893 894 655932b-655934e 888->894 899 6559372-6559394 893->899 900 655939b-65593b6 893->900 894->893 899->900 905 65593b8-65593d4 900->905 906 65593db-65593e9 900->906 905->906 907 65593f9-6559473 906->907 908 65593eb-65593f4 906->908 914 6559475-6559493 907->914 915 65594c0-65594d5 907->915 908->869 919 6559495-65594a4 914->919 920 65594af-65594be 914->920 915->859 919->920 920->914 920->915
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq
                                                      • API String ID: 0-2881790790
                                                      • Opcode ID: 1e0a5eb04ccc8f04541b54d997ff13a94e186df67868586d5daf7a284f05a78a
                                                      • Instruction ID: 4530c93a5acd80bebf060c5a440d25fd081a75f7446b0f8a721fa3d13df3cf62
                                                      • Opcode Fuzzy Hash: 1e0a5eb04ccc8f04541b54d997ff13a94e186df67868586d5daf7a284f05a78a
                                                      • Instruction Fuzzy Hash: 05915230F1025A8FDB64DF65D9647AEB7F6BFC8240F10846AD8099B398EB74DC418B90
                                                      Function 0655CFE8 Relevance: 4.6, Strings: 3, Instructions: 801COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 923 655cfe8-655d003 924 655d005-655d008 923->924 925 655d012-655d015 924->925 926 655d00a-655d00f 924->926 927 655d017-655d02d 925->927 928 655d032-655d035 925->928 926->925 927->928 929 655d037-655d046 928->929 930 655d07e-655d081 928->930 934 655d055-655d061 929->934 935 655d048-655d04d 929->935 931 655d4d4-655d4e0 930->931 932 655d087-655d08a 930->932 931->929 940 655d4e6-655d7d3 931->940 938 655d0d3-655d0d6 932->938 939 655d08c-655d09b 932->939 936 655da05-655da3e 934->936 937 655d067-655d079 934->937 935->934 955 655da40-655da43 936->955 937->930 944 655d11f-655d122 938->944 945 655d0d8-655d11a 938->945 941 655d09d-655d0a2 939->941 942 655d0aa-655d0b6 939->942 1135 655d7d9-655d7df 940->1135 1136 655d9fa-655da04 940->1136 941->942 942->936 949 655d0bc-655d0ce 942->949 950 655d124-655d166 944->950 951 655d16b-655d16e 944->951 945->944 949->938 950->951 953 655d191-655d194 951->953 954 655d170-655d18c 951->954 959 655d196-655d1d8 953->959 960 655d1dd-655d1e0 953->960 954->953 956 655da45-655da71 955->956 957 655da76-655da79 955->957 956->957 967 655da88-655da8b 957->967 968 655da7b 957->968 959->960 965 655d1e2-655d1e4 960->965 966 655d1ef-655d1f2 960->966 971 655d38f-655d398 965->971 972 655d1ea 965->972 973 655d1f4-655d236 966->973 974 655d23b-655d23e 966->974 969 655da8d-655daa9 967->969 970 655daae-655dab0 967->970 1182 655da7b call 655db70 968->1182 1183 655da7b call 655db5d 968->1183 969->970 979 655dab7-655daba 970->979 980 655dab2 970->980 984 655d3a7-655d3b3 971->984 985 655d39a-655d39f 971->985 972->966 973->974 981 655d287-655d28a 974->981 982 655d240-655d282 974->982 979->955 991 655dabc-655dacb 979->991 980->979 994 655d2d3-655d2d6 981->994 995 655d28c-655d2ce 981->995 982->981 988 655d4c4-655d4c9 984->988 989 655d3b9-655d3cd 984->989 985->984 986 655da81-655da83 986->967 1002 655d4d1 988->1002 989->1002 1014 655d3d3-655d3e5 989->1014 1015 655db32-655db47 991->1015 1016 655dacd-655db30 call 6556628 991->1016 997 655d2e5-655d2e8 994->997 998 655d2d8-655d2da 994->998 995->994 1004 655d331-655d334 997->1004 1005 655d2ea-655d32c 997->1005 998->1002 1003 655d2e0 998->1003 1002->931 1003->997 1018 655d336-655d378 1004->1018 1019 655d37d-655d37f 1004->1019 1005->1004 1036 655d3e7-655d3ed 1014->1036 1037 655d409-655d40b 1014->1037 1016->1015 1018->1019 1027 655d386-655d389 1019->1027 1028 655d381 1019->1028 1027->924 1027->971 1028->1027 1042 655d3f1-655d3fd 1036->1042 1043 655d3ef 1036->1043 1047 655d415-655d421 1037->1047 1050 655d3ff-655d407 1042->1050 1043->1050 1060 655d423-655d42d 1047->1060 1061 655d42f 1047->1061 1050->1047 1064 655d434-655d436 1060->1064 1061->1064 1064->1002 1068 655d43c-655d458 call 6556628 1064->1068 1078 655d467-655d473 1068->1078 1079 655d45a-655d45f 1068->1079 1078->988 1082 655d475-655d4c2 1078->1082 1079->1078 1082->1002 1137 655d7e1-655d7e6 1135->1137 1138 655d7ee-655d7f7 1135->1138 1137->1138 1138->936 1139 655d7fd-655d810 1138->1139 1141 655d816-655d81c 1139->1141 1142 655d9ea-655d9f4 1139->1142 1143 655d81e-655d823 1141->1143 1144 655d82b-655d834 1141->1144 1142->1135 1142->1136 1143->1144 1144->936 1145 655d83a-655d85b 1144->1145 1148 655d85d-655d862 1145->1148 1149 655d86a-655d873 1145->1149 1148->1149 1149->936 1150 655d879-655d896 1149->1150 1150->1142 1153 655d89c-655d8a2 1150->1153 1153->936 1154 655d8a8-655d8c1 1153->1154 1156 655d8c7-655d8ee 1154->1156 1157 655d9dd-655d9e4 1154->1157 1156->936 1160 655d8f4-655d8fe 1156->1160 1157->1142 1157->1153 1160->936 1161 655d904-655d91b 1160->1161 1163 655d91d-655d928 1161->1163 1164 655d92a-655d945 1161->1164 1163->1164 1164->1157 1169 655d94b-655d964 call 6556628 1164->1169 1173 655d966-655d96b 1169->1173 1174 655d973-655d97c 1169->1174 1173->1174 1174->936 1175 655d982-655d9d6 1174->1175 1175->1157 1182->986 1183->986
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq
                                                      • API String ID: 0-2086306503
                                                      • Opcode ID: a87433124d7f2fab8fc579876aba8b2cbb2da3e323deea098f6daf950bd874e2
                                                      • Instruction ID: e20aaf8a74870493a792f7822da6a20e2e4836a1317a6b0e402b83473062e6aa
                                                      • Opcode Fuzzy Hash: a87433124d7f2fab8fc579876aba8b2cbb2da3e323deea098f6daf950bd874e2
                                                      • Instruction Fuzzy Hash: 81623F30A006058FCB65EF68D594A5EB7F2FF84300F218A69D4059F369DB75ED86CB84
                                                      Function 06554C08 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1184 6554c08-6554c2c 1185 6554c2e-6554c31 1184->1185 1186 6554c33-6554c4d 1185->1186 1187 6554c52-6554c55 1185->1187 1186->1187 1188 6555334-6555336 1187->1188 1189 6554c5b-6554d53 1187->1189 1191 655533d-6555340 1188->1191 1192 6555338 1188->1192 1207 6554dd6-6554ddd 1189->1207 1208 6554d59-6554da1 1189->1208 1191->1185 1193 6555346-6555353 1191->1193 1192->1191 1209 6554e61-6554e6a 1207->1209 1210 6554de3-6554e53 1207->1210 1229 6554da6 call 65554b1 1208->1229 1230 6554da6 call 65554c0 1208->1230 1209->1193 1227 6554e55 1210->1227 1228 6554e5e 1210->1228 1221 6554dac-6554dc8 1224 6554dd3 1221->1224 1225 6554dca 1221->1225 1224->1207 1225->1224 1227->1228 1228->1209 1229->1221 1230->1221
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fpq$XPpq$\Opq
                                                      • API String ID: 0-2571271785
                                                      • Opcode ID: 499b8e2de7447267ac46cfdc8731ec674d38e79d14678adee0ef66ea9c2ea755
                                                      • Instruction ID: 2d57e46d3533b5f8ae467a420b40ba9deb1fb1dcb2a0e74002256cc8b32a954b
                                                      • Opcode Fuzzy Hash: 499b8e2de7447267ac46cfdc8731ec674d38e79d14678adee0ef66ea9c2ea755
                                                      • Instruction Fuzzy Hash: 9D619431F102089FEB549FA4C8587AEBBF6FF88700F21842AE505AB395DE758C458F91
                                                      Function 065591CA Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2221 65591ca-65591fd 2223 65591ff-6559202 2221->2223 2224 6559ac0-6559ac3 2223->2224 2225 6559208-655921d 2223->2225 2226 6559ac5-6559ae4 2224->2226 2227 6559ae9-6559aeb 2224->2227 2232 6559235-655924b 2225->2232 2233 655921f-6559225 2225->2233 2226->2227 2228 6559af2-6559af5 2227->2228 2229 6559aed 2227->2229 2228->2223 2234 6559afb-6559b05 2228->2234 2229->2228 2239 6559256-6559258 2232->2239 2235 6559227 2233->2235 2236 6559229-655922b 2233->2236 2235->2232 2236->2232 2240 6559270-65592e1 2239->2240 2241 655925a-6559260 2239->2241 2252 65592e3-6559306 2240->2252 2253 655930d-6559329 2240->2253 2242 6559264-6559266 2241->2242 2243 6559262 2241->2243 2242->2240 2243->2240 2252->2253 2258 6559355-6559370 2253->2258 2259 655932b-655934e 2253->2259 2264 6559372-6559394 2258->2264 2265 655939b-65593b6 2258->2265 2259->2258 2264->2265 2270 65593b8-65593d4 2265->2270 2271 65593db-65593e9 2265->2271 2270->2271 2272 65593f9-6559473 2271->2272 2273 65593eb-65593f4 2271->2273 2279 6559475-6559493 2272->2279 2280 65594c0-65594d5 2272->2280 2273->2234 2284 6559495-65594a4 2279->2284 2285 65594af-65594be 2279->2285 2280->2224 2284->2285 2285->2279 2285->2280
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq
                                                      • API String ID: 0-3550614674
                                                      • Opcode ID: 2c0e05e966525c78f4a7a51d1069dce6ecaeedb6ba8596d842ca8948106d22b0
                                                      • Instruction ID: ed369e9ea1d42e6a5d6ed6aafae90ab34655dab14965b2510530b1952e11a148
                                                      • Opcode Fuzzy Hash: 2c0e05e966525c78f4a7a51d1069dce6ecaeedb6ba8596d842ca8948106d22b0
                                                      • Instruction Fuzzy Hash: C0513070B001058FDF54EB75D9A0BAE77F6BFC8650F50846AD90ADB398EA34EC118B90
                                                      Function 06554BF8 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2288 6554bf8-6554c2c 2289 6554c2e-6554c31 2288->2289 2290 6554c33-6554c4d 2289->2290 2291 6554c52-6554c55 2289->2291 2290->2291 2292 6555334-6555336 2291->2292 2293 6554c5b-6554d53 2291->2293 2295 655533d-6555340 2292->2295 2296 6555338 2292->2296 2311 6554dd6-6554ddd 2293->2311 2312 6554d59-6554da1 2293->2312 2295->2289 2297 6555346-6555353 2295->2297 2296->2295 2313 6554e61-6554e6a 2311->2313 2314 6554de3-6554e53 2311->2314 2333 6554da6 call 65554b1 2312->2333 2334 6554da6 call 65554c0 2312->2334 2313->2297 2331 6554e55 2314->2331 2332 6554e5e 2314->2332 2325 6554dac-6554dc8 2328 6554dd3 2325->2328 2329 6554dca 2325->2329 2328->2311 2329->2328 2331->2332 2332->2313 2333->2325 2334->2325
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fpq$XPpq
                                                      • API String ID: 0-1280283
                                                      • Opcode ID: 6a0bff4085843ef1969388f9a3d947b2ef3745590cf6706b390df8357c1ae96d
                                                      • Instruction ID: c900e96c082298a38a4728f4787e510bf55111f6c018f2c842cd43b620168c4b
                                                      • Opcode Fuzzy Hash: 6a0bff4085843ef1969388f9a3d947b2ef3745590cf6706b390df8357c1ae96d
                                                      • Instruction Fuzzy Hash: 6B519170F102089FDB54DFA4C514BAEBBF6BF88700F20852AE506AB3D5DE748C448B90
                                                      Function 00DAEC15 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2513 daec15-daec21 2515 daec23-daec26 2513->2515 2516 daec27-daec7e 2513->2516 2518 daec86-daecb4 GlobalMemoryStatusEx 2516->2518 2519 daecbd-daece5 2518->2519 2520 daecb6-daecbc 2518->2520 2520->2519
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00DAEBBA), ref: 00DAECA7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2938648329.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_da0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: c6e81e86aedd8524f2dbb868fa62acd3552787b2f6ec01e3c528a606eae8f145
                                                      • Instruction ID: b80bfd5305a63fab7bb3f4daa8930873f57299b51174f6387657f7c291bb1cd8
                                                      • Opcode Fuzzy Hash: c6e81e86aedd8524f2dbb868fa62acd3552787b2f6ec01e3c528a606eae8f145
                                                      • Instruction Fuzzy Hash: 062177B1C002599FCB10DFAAD5447EEFBF4AF08320F14842AD918A7650D338A984CFA4
                                                      Function 00DAE758 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2523 dae758-daecb4 GlobalMemoryStatusEx 2526 daecbd-daece5 2523->2526 2527 daecb6-daecbc 2523->2527 2527->2526
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00DAEBBA), ref: 00DAECA7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2938648329.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_da0000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: 9e041d5478ff8aba39d77c9ac7e26572554b05d9c48cbeaa057d285b364a6e5d
                                                      • Instruction ID: c564c3e0d5f2a3c6dd1bb1b5a650e81726bca48922608e2e3c17699d9ae94f23
                                                      • Opcode Fuzzy Hash: 9e041d5478ff8aba39d77c9ac7e26572554b05d9c48cbeaa057d285b364a6e5d
                                                      • Instruction Fuzzy Hash: 041112B1C006599BCB10DF9AC545BDEFBF4EB49320F14816AE918B7240D378A944CFE5
                                                      Function 0655DB70 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PHkq
                                                      • API String ID: 0-902561536
                                                      • Opcode ID: 947f13d02e1b842118b508972fc1a3260705eabfffbb6693ab92da93c45d0aa4
                                                      • Instruction ID: 5e709b8b795f9008c3927562d95e6a89df4c4f2204b3da9ff9a3edd800d78a55
                                                      • Opcode Fuzzy Hash: 947f13d02e1b842118b508972fc1a3260705eabfffbb6693ab92da93c45d0aa4
                                                      • Instruction Fuzzy Hash: E7419E31E102099FDB64EF65C59869EBBB6BF85340F21462AE805EB254EB70D846CF84
                                                      Function 0655DB5D Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PHkq
                                                      • API String ID: 0-902561536
                                                      • Opcode ID: 773c22c8ffbfa545fa1c3608fc58e8cd0aec686c9f8a459e2144bb84bad77247
                                                      • Instruction ID: 1e6c84c1189fd3652662f6898d90e6571b16c60ae8a4ec9fed61e7ca75c35e89
                                                      • Opcode Fuzzy Hash: 773c22c8ffbfa545fa1c3608fc58e8cd0aec686c9f8a459e2144bb84bad77247
                                                      • Instruction Fuzzy Hash: 8241B131E106099FDB65DF64C59869EBBB2FF85300F15862AE805EB250EB70E846CF84
                                                      Function 06552285 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PHkq
                                                      • API String ID: 0-902561536
                                                      • Opcode ID: 3f16ddc19e001d20bb17af12deb6183982caa76b7f3381a291cf1a7955226042
                                                      • Instruction ID: a0b9d4fb221c0ad9647d8da8b62c177e84e7a5191e540310ed35fe5d3ea66f22
                                                      • Opcode Fuzzy Hash: 3f16ddc19e001d20bb17af12deb6183982caa76b7f3381a291cf1a7955226042
                                                      • Instruction Fuzzy Hash: 75310431B102058FDB55AB34C96836F7BE6BB89200F25847AD806DB395EF34DE46CB90
                                                      Function 06552298 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PHkq
                                                      • API String ID: 0-902561536
                                                      • Opcode ID: f96c0dc5bb305c396b29a5e4810390a5820610333b0b3f7a177fbd0a72033db0
                                                      • Instruction ID: aed661b91a2524527eca4135804e62057bdc9851f0ee7e9ebd92d32de116bd8d
                                                      • Opcode Fuzzy Hash: f96c0dc5bb305c396b29a5e4810390a5820610333b0b3f7a177fbd0a72033db0
                                                      • Instruction Fuzzy Hash: 02310231B102058FDB54AB34C96876F7BE6BBC9200F25846AD806DB3A5EF35DD46CB90
                                                      Function 0655B2BA Relevance: .3, Instructions: 292COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be18f64921594790f51bb35ac1b197302af0fcf3dcf6abeaa852809da756094a
                                                      • Instruction ID: 876afc4e1324f49284b940934672c2ba0e1f55243f6f27021c655d4800a6edb7
                                                      • Opcode Fuzzy Hash: be18f64921594790f51bb35ac1b197302af0fcf3dcf6abeaa852809da756094a
                                                      • Instruction Fuzzy Hash: CEA16430F102098FDF64DB98D5BC7AE77A6FB89310F254826E805EB395DA35DC818B51
                                                      Function 06556270 Relevance: .2, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1bfa8df6ba4150d659ee87d60044ef5073d8c96bbdc19d306e25b7a9627d30fc
                                                      • Instruction ID: bfa466c11c1655a46b5a58392c7de0bcc029af9cd94d6b963d1fef65507587bb
                                                      • Opcode Fuzzy Hash: 1bfa8df6ba4150d659ee87d60044ef5073d8c96bbdc19d306e25b7a9627d30fc
                                                      • Instruction Fuzzy Hash: 8D61E3B2F001114FCF519A7DCC9466EBADBAFD4620B56443AE80ADB379DEA5DC0287C1
                                                      Function 06554339 Relevance: .2, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8844bf1c6d49eee3ffe6ddc9c4b8c4de802e97f3b1fa72819a86239771fa9775
                                                      • Instruction ID: 02b6f17da5cc4c6329603b84cfe04e22280a284d8c9aa141059d009dc4f3d7c1
                                                      • Opcode Fuzzy Hash: 8844bf1c6d49eee3ffe6ddc9c4b8c4de802e97f3b1fa72819a86239771fa9775
                                                      • Instruction Fuzzy Hash: 7D814E30B002058FDF54DFA8D5647AEB7F6BF85310F118826D80ADB399EA74EC858B91
                                                      Function 06554658 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7859b358ed02fbd2752d3ce309aef78b9e9709118ae42a3ad17cfd276c5cb501
                                                      • Instruction ID: 1b39dda0af645e140be10f14dbbc470114700584bdf0d7b8d9e1beb43b500d61
                                                      • Opcode Fuzzy Hash: 7859b358ed02fbd2752d3ce309aef78b9e9709118ae42a3ad17cfd276c5cb501
                                                      • Instruction Fuzzy Hash: 6C913B30E102198FDF60DF68C890B9DB7B1FF89310F21859AD549AB395DB70AA85CF91
                                                      Function 06554670 Relevance: .2, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 774424107e43cb674de35cc2e57e28ca01bf153d945d3527e6662950e653eae3
                                                      • Instruction ID: 4a09616c29383c4097b5acf5588cc03ec4e487f67e8d2d590680fa4c1cc7e7f8
                                                      • Opcode Fuzzy Hash: 774424107e43cb674de35cc2e57e28ca01bf153d945d3527e6662950e653eae3
                                                      • Instruction Fuzzy Hash: FE913B30E106198BDF60DF68C890B9DB7B1FF89310F20859AD549BB395DB70AA85CF91
                                                      Function 0655EBB0 Relevance: .2, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a846f468421e2e7a2a0964045ab328e6b15af50f050a1fe13e3fd221585d60e
                                                      • Instruction ID: 0a0d87449603d2d400159493429d917a3e01dfb17e3ee41641f5a3a7ad84f15c
                                                      • Opcode Fuzzy Hash: 3a846f468421e2e7a2a0964045ab328e6b15af50f050a1fe13e3fd221585d60e
                                                      • Instruction Fuzzy Hash: 26813A70A002099FCB54DFA8D995A9DBBF6FF88300F25856AD409EB355DB30ED46CB50
                                                      Function 0655EBC0 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3162bfc72bddf86fb8bd983cbf5994a027003b538a735db4e197883a9ad2c39f
                                                      • Instruction ID: ede0d1288039ccdece871c976cb0d712ab3553af1dded5469fbb61aecb118ef1
                                                      • Opcode Fuzzy Hash: 3162bfc72bddf86fb8bd983cbf5994a027003b538a735db4e197883a9ad2c39f
                                                      • Instruction Fuzzy Hash: 56712970A002099FCB54EFA8D995A9DBBF6FF88300F25856AE405EB355DB30ED46CB50
                                                      Function 0655FAD2 Relevance: .2, Instructions: 172COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4447398a8ae284bf6a217ee20db38d3f11b843de548fd72f278917f55a33ce95
                                                      • Instruction ID: 0164cdcfe73cd6ab472ff028f75e0c7c49defd978f4b6f18bcdcf8e9cd85bb67
                                                      • Opcode Fuzzy Hash: 4447398a8ae284bf6a217ee20db38d3f11b843de548fd72f278917f55a33ce95
                                                      • Instruction Fuzzy Hash: 5A51B730B142149FEF70666CD96876F3A9AE789710F214437E80AD77E9CA29CC454BA2
                                                      Function 0655FD30 Relevance: .2, Instructions: 171COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4afc984affd472d53c31d05eb89341f03f2bd8da1b11397d3622135ba3c41f5f
                                                      • Instruction ID: 0e4d423270d58800551e4b84ef4e3c9ea74ee3202e2b8365f3c9456a339ab610
                                                      • Opcode Fuzzy Hash: 4afc984affd472d53c31d05eb89341f03f2bd8da1b11397d3622135ba3c41f5f
                                                      • Instruction Fuzzy Hash: DD51E031E01105DFDF64AB78E8686AEBBB2FF85310F11886AE506D7251DF319855CF80
                                                      Function 0655FAE0 Relevance: .2, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f93a18dc0dd7efad3398ce4b4ce2166a9341ce33c749f3a13fdaa041e40997c
                                                      • Instruction ID: f30d52de58b49a6a72bfcc0fda52982e337e2644cad4b5caf466d9783471ee1a
                                                      • Opcode Fuzzy Hash: 1f93a18dc0dd7efad3398ce4b4ce2166a9341ce33c749f3a13fdaa041e40997c
                                                      • Instruction Fuzzy Hash: 8351A630B14204DFEF64766CD96876F269EE789710F214837E90AD73E8CA69CC454BA1
                                                      Function 065554C0 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e588791c1f47f1157fe2fb8b8ea658af66f91a964013656d0aa9943d69e97a96
                                                      • Instruction ID: 79f2d5b184434ad62137260e1beb860217eaefcbfe1bde7df79b2770f0968fa5
                                                      • Opcode Fuzzy Hash: e588791c1f47f1157fe2fb8b8ea658af66f91a964013656d0aa9943d69e97a96
                                                      • Instruction Fuzzy Hash: 19414971E006098BDB70CEA9C894AAFFBF2FB84310F11492AE556D7650E730E9498F91
                                                      Function 06552148 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf6aca670f1ef26867b935959bb7bd135ca40bd7e0be768d39f166fcc8f9c0d7
                                                      • Instruction ID: 301f5854ef4bb0cc1152fe42b5228312ccf868013ee559bb7e3bb80c448e9045
                                                      • Opcode Fuzzy Hash: cf6aca670f1ef26867b935959bb7bd135ca40bd7e0be768d39f166fcc8f9c0d7
                                                      • Instruction Fuzzy Hash: FC31B235E102058FCB19CFA4D96469EB7F2BF89300F11892AE805EB354DB31E942CF50
                                                      Function 06555620 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d7ef87e5991d8a90a3636c7f4be0d0fd6b428643d76513eb83f95aebe348d461
                                                      • Instruction ID: 40c9e58a554bd35bc6116234142f3602de3b4ac0bd7037e77f23c04973cbc24d
                                                      • Opcode Fuzzy Hash: d7ef87e5991d8a90a3636c7f4be0d0fd6b428643d76513eb83f95aebe348d461
                                                      • Instruction Fuzzy Hash: 78318F31E102058FDB60DEA9C4956AFFBB1FB45210F21882BD915D7291E634D9418F91
                                                      Function 06552158 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a24a4d93a0fd312455448fdbd7597451ae6e126968ea0ee7a6f6efca1e1c4b0a
                                                      • Instruction ID: 8c74b9d69758a39d144c89496bdc54d9c6b81955968f26a9c00064da0aae3eea
                                                      • Opcode Fuzzy Hash: a24a4d93a0fd312455448fdbd7597451ae6e126968ea0ee7a6f6efca1e1c4b0a
                                                      • Instruction Fuzzy Hash: 66316F35E106098BCB19CFA4D85569EB7F2BF89300F11892AE806EB354DB71AD46CB60
                                                      Function 06553B38 Relevance: .1, Instructions: 81COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26cbadef451af9a713e41bfaa93af55c69e883960b5523a91c96a6e54853b372
                                                      • Instruction ID: 644a0f48caa5935c7b2467fe1e440a08a700b267d1ffc1705391a143163b1216
                                                      • Opcode Fuzzy Hash: 26cbadef451af9a713e41bfaa93af55c69e883960b5523a91c96a6e54853b372
                                                      • Instruction Fuzzy Hash: F4218B71E006159FDB40DFA9E991AAEBBF1BB88750F108826E905EB395E770D840CB90
                                                      Function 06553B48 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c84948377f3b995faf4fefa95e7e15300854b3df3e9bdcec910d79fe0d38989a
                                                      • Instruction ID: 88625098727b1ff2de78570a10d8b22f25fecabf527e97931407db0fe50c06ef
                                                      • Opcode Fuzzy Hash: c84948377f3b995faf4fefa95e7e15300854b3df3e9bdcec910d79fe0d38989a
                                                      • Instruction Fuzzy Hash: D3216B75E006159FDB50DFA9D990AAEBBF1BB88650F10842AE905EB355E730D840CB94
                                                      Function 00B1D044 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2937444153.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_b1d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9729f268c0467c56d66a669a9de6a502b934482c0aeb7efdba9dc43be80b25c9
                                                      • Instruction ID: 494f49c7696e9e8af01bac1f1ab4dd8718a81767708ee0685bc1b5ce0c1b913d
                                                      • Opcode Fuzzy Hash: 9729f268c0467c56d66a669a9de6a502b934482c0aeb7efdba9dc43be80b25c9
                                                      • Instruction Fuzzy Hash: 7C210471504204EFCB14DF24C9D8B66BBA5FB88314F60C6ADE8494B256C73AD886CA61
                                                      Function 065530F8 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2dd9fbd9d1a237d55ca4550b0a8612a3a991b19adcb23aa965729bf10cbfb287
                                                      • Instruction ID: ac9286e7ded3e8b18fa41e3e435a9e282d9b506c7421c0cfaa421b5cdb1f8186
                                                      • Opcode Fuzzy Hash: 2dd9fbd9d1a237d55ca4550b0a8612a3a991b19adcb23aa965729bf10cbfb287
                                                      • Instruction Fuzzy Hash: 0711B171E002185BCB68DB78D8541DEF7B5FB89350F11897AD40AEB204EA319944CBE0
                                                      Function 06553C58 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8354ddf25ddbf2c3a9ed74c618ba0c90ab1f3fe44edb48bcaa4926d8f258bdb7
                                                      • Instruction ID: c3173947bfd53ddee7628543266713a55a3d0fe373d550891eef8d9592287e0c
                                                      • Opcode Fuzzy Hash: 8354ddf25ddbf2c3a9ed74c618ba0c90ab1f3fe44edb48bcaa4926d8f258bdb7
                                                      • Instruction Fuzzy Hash: 8111A532B105254BCF549679D8186AE77AABBC8690F01453AD80AE7358FE65DC018BD0
                                                      Function 0655429A Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f89382e67a60c6c78dc00cc30acc80d292a84f3d76659834718e3f238f17457b
                                                      • Instruction ID: 250ff014ddbe0d0577d3e3db0cdbb1737b5b9d81940abb92e4d5c743ac7b878a
                                                      • Opcode Fuzzy Hash: f89382e67a60c6c78dc00cc30acc80d292a84f3d76659834718e3f238f17457b
                                                      • Instruction Fuzzy Hash: 5401BC31B040200BDB6096ADE86976BB3CAEBCA760F15843AE40AC7395EDA1CC824790
                                                      Function 0655EE31 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 430d1f933ba721185b81d39633994d131b6df645c48c984e6281588c7f74f53d
                                                      • Instruction ID: 19e1f1422a7bb53269d034a56209eff1e787ba64368fcb211f6ad6e90da4bde3
                                                      • Opcode Fuzzy Hash: 430d1f933ba721185b81d39633994d131b6df645c48c984e6281588c7f74f53d
                                                      • Instruction Fuzzy Hash: CF01D2317105010FDB259A3C9465B2BB7D6EBC6720F05882AE80ACB380E921ED068791
                                                      Function 06553C48 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec305b840420e508ffa8b354b17b960e78ca55f59e13663f50e30891835a969b
                                                      • Instruction ID: 640df36a403049a16bdfd30b84eee2efde62f7eb9d4c7a39253dbe64103246fd
                                                      • Opcode Fuzzy Hash: ec305b840420e508ffa8b354b17b960e78ca55f59e13663f50e30891835a969b
                                                      • Instruction Fuzzy Hash: BD01B132B100244BCF5896B9D8686EB76AAAFC4690F01053BD80AD7264FF65DC018BE1
                                                      Function 00B1D03F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2937444153.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_b1d000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction ID: 8890d343d7717ab2e47ea151638692cd15020b59a883973f3c46aaeb473bc0f3
                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                      • Instruction Fuzzy Hash: 7411DD75504284DFCB11CF24C9C4B56BFA2FB88314F24C6AED8494B252C33AD89ACF62
                                                      Function 06553910 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db6b110d8ec3a0e4fab7d9c3aa4174c81b34750621bd0cc595b7899cc031a781
                                                      • Instruction ID: 29b5c18ee9ed17ceffc451d4f366e44c7e645b472f5f50230bc58a30e45e8830
                                                      • Opcode Fuzzy Hash: db6b110d8ec3a0e4fab7d9c3aa4174c81b34750621bd0cc595b7899cc031a781
                                                      • Instruction Fuzzy Hash: D421C2B5D012199FCB10CF99D988ADEFBF4BB08314F10812AE918A7740D375A954CFA5
                                                      Function 0655A398 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98cff0b15a2ecf2d84f29774367750c5e729023da296fbd68aac858cdb521417
                                                      • Instruction ID: ff30b7cabdfdfcbc491f9234fa019663c49d3efd6bcfe5faef4b3091d8a6fa13
                                                      • Opcode Fuzzy Hash: 98cff0b15a2ecf2d84f29774367750c5e729023da296fbd68aac858cdb521417
                                                      • Instruction Fuzzy Hash: 7A01DF35B141104FC7B0AA7CE46976EB7E5EB85764F11883AE50ACB394FE22DD018790
                                                      Function 06553918 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9b7c83028680e6f3d5fa4a1e63aa13b4c3cf3609533dbf49200b2898352de817
                                                      • Instruction ID: e26416881ca4f449aa68d6d594603b8170d4b339a1adb34ef33f21a67a65622c
                                                      • Opcode Fuzzy Hash: 9b7c83028680e6f3d5fa4a1e63aa13b4c3cf3609533dbf49200b2898352de817
                                                      • Instruction Fuzzy Hash: B911D3B1D012199FCB00CF9AD884ADEFBF4FB48314F10812AE918A7300D375A954CFA5
                                                      Function 065542A8 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f12565195a5ec72c68788cdfc29d60072b26fdb584b552eb418464fe108a5488
                                                      • Instruction ID: 1075cced60d0fc3f2ee197a06a993a42ac1c3931fab9079e51cdffd6e74124e8
                                                      • Opcode Fuzzy Hash: f12565195a5ec72c68788cdfc29d60072b26fdb584b552eb418464fe108a5488
                                                      • Instruction Fuzzy Hash: F701A931B000200FDB6496BDE91872FB3DAEBC9750F11843AE50AC7355ED61DC4247D1
                                                      Function 0655EE40 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bbbca92abaf0ef09d3ae14b08c854b662b1f0f90098cc8ae8303c87a92feb8f7
                                                      • Instruction ID: ec43e07505b10a4bdef1c04c53b3de2d22d62c9ba9bf53de0536b2aade845e68
                                                      • Opcode Fuzzy Hash: bbbca92abaf0ef09d3ae14b08c854b662b1f0f90098cc8ae8303c87a92feb8f7
                                                      • Instruction Fuzzy Hash: A401A431B204110BDB74967CA46973FB7DAEBC9B20F15883AF90AC7384EE21DD424791
                                                      Function 0655A3A8 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f8747cd9230de9881e58fc4b1ebc34f5dddb418a72e1c15043a2fe56fb9095f
                                                      • Instruction ID: 620a66acff37bec2459aab4a82ad71494142a91d8467f0ea24173337affcf397
                                                      • Opcode Fuzzy Hash: 1f8747cd9230de9881e58fc4b1ebc34f5dddb418a72e1c15043a2fe56fb9095f
                                                      • Instruction Fuzzy Hash: AD018134B141144FCB70AA7CE46872E77D6EB89760F11893AE50ACB394EE22DC428794
                                                      Function 065564F9 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85ee854fdb6a288a842857df5503629917e8c510ffaf1581f99dc4ca3326f7c2
                                                      • Instruction ID: fb805b75a42f48caced76de6c353c7fcf8de9be78ff3a055040d2dfe9d4ab83a
                                                      • Opcode Fuzzy Hash: 85ee854fdb6a288a842857df5503629917e8c510ffaf1581f99dc4ca3326f7c2
                                                      • Instruction Fuzzy Hash: 56E02071E241445BDF90CEB0CF1D35A7BA4F741204FA149A7C808D7101F137CE418B40
                                                      Function 06556508 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                      • Instruction ID: 65857349085d4b32539b04f1db83b9d41410db85776a2e31d22ea5cfc7bdaf20
                                                      • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                      • Instruction Fuzzy Hash: 04E08C71E10149ABDF60CEA0C91975A7AACE741204FA185A6D808C7202E272CA018B80

                                                      Non-executed Functions

                                                      Function 06557728 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1324371161
                                                      • Opcode ID: d162724a59854481ac52577675f3a3d210fddc9646de640c88e9529d279d4cf5
                                                      • Instruction ID: 8ea90412ef989dbce04f7428b7988997327e015ffc93fab7f7753099952d17e8
                                                      • Opcode Fuzzy Hash: d162724a59854481ac52577675f3a3d210fddc9646de640c88e9529d279d4cf5
                                                      • Instruction Fuzzy Hash: 5F125E30E012198FDB64DF65D958AAEB7F2FF88300F21856AD409AB364DB349D85CF90
                                                      Function 0655A9C8 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1078448309
                                                      • Opcode ID: b2051ca0b2548d2ed1b1882a3d20246d11ce98ff9328fa28fee868a98da7a27f
                                                      • Instruction ID: 8cd2dd71869716b710174a1c20e439133d28ebaaa3003c51e1fb526fa5d72456
                                                      • Opcode Fuzzy Hash: b2051ca0b2548d2ed1b1882a3d20246d11ce98ff9328fa28fee868a98da7a27f
                                                      • Instruction Fuzzy Hash: BF917230A10209DFDB64EF64D96876EBBF2BF84300F25862AE8019B395DB759D45CF90
                                                      Function 06557128 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                      • API String ID: 0-1342094364
                                                      • Opcode ID: 6251b45c9723190304fcf4060364325bddda366cae61b6ba4e7cefa5fa081ada
                                                      • Instruction ID: 149b2c25ebc14022e359eef28958cb39ce9ea8d44e90d6a64e4f48f46610223e
                                                      • Opcode Fuzzy Hash: 6251b45c9723190304fcf4060364325bddda366cae61b6ba4e7cefa5fa081ada
                                                      • Instruction Fuzzy Hash: 61F13E30A00209CFDB55EF64D554B5EBBB6FF88300F25856AD8059B3A9DB35EC46CB90
                                                      Function 06558460 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq
                                                      • API String ID: 0-2881790790
                                                      • Opcode ID: 83e823e2723a23ee3ef191e9ef6e8329cac6398f9ad0a93c40588fbb76b5caa4
                                                      • Instruction ID: d10db44d66818c7b36d484f5a4bf9b4f3eba383e7e0b3950f6f45778df3546aa
                                                      • Opcode Fuzzy Hash: 83e823e2723a23ee3ef191e9ef6e8329cac6398f9ad0a93c40588fbb76b5caa4
                                                      • Instruction Fuzzy Hash: A2B14C30E11218CFDB64EF64D56865EBBB2FF84300F25886AD8069B395DB35DC86CB90
                                                      Function 06558878 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LRkq$LRkq$$kq$$kq
                                                      • API String ID: 0-2392252538
                                                      • Opcode ID: 2660652afdc9670120a04ee7f2ccf2188313c2a517d63d127070710d2b32e6c1
                                                      • Instruction ID: b54ca9a88227cae61c8fa319623c4a5f25a5ffe9edf910807585ac6ce7d7f876
                                                      • Opcode Fuzzy Hash: 2660652afdc9670120a04ee7f2ccf2188313c2a517d63d127070710d2b32e6c1
                                                      • Instruction Fuzzy Hash: 7A51C530B002158FDB64EF68D954A6AB7F6FF84710F15896AE8059F3A9DB30EC44CB91
                                                      Function 0655AD50 Relevance: 5.2, Strings: 4, Instructions: 164COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2943917038.0000000006550000.00000040.00000800.00020000.00000000.sdmp, Offset: 06550000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_6550000_Remittance Receipt.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $kq$$kq$$kq$$kq
                                                      • API String ID: 0-2881790790
                                                      • Opcode ID: fb9a5cedc4cb73b5098d2559b7a5339776a8c51a24c4243caf59fad8115d15d1
                                                      • Instruction ID: 4d001a88d9dd6385538e05ddb18e4e52f89990a4960cff5a0e6a3f80c6f41af5
                                                      • Opcode Fuzzy Hash: fb9a5cedc4cb73b5098d2559b7a5339776a8c51a24c4243caf59fad8115d15d1
                                                      • Instruction Fuzzy Hash: BC518034E102058FCB65EB64E4A466EB7B2FF85311F168A2AD805DB355DB34EC41CFA0