Edit tour

Windows Analysis Report
01-05-24 remittance.exe

Overview

General Information

Sample name:	01-05-24 remittance.exe
Analysis ID:	1435135
MD5:	361f6774344487264f85a0aef1f795cb
SHA1:	69de5995ebfef3f48a97298e4dfc17608585942d
SHA256:	d07298904df26d392ea22c39805a5eac170df9aef797c6a86f885c36cabe7d90
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Classification

Process Tree

System is w10x64native

01-05-24 remittance.exe (PID: 5632 cmdline: "C:\Users\user\Desktop\01-05-24 remittance.exe" MD5: 361F6774344487264F85A0AEF1F795CB)

01-05-24 remittance.exe (PID: 9120 cmdline: "C:\Users\user\Desktop\01-05-24 remittance.exe" MD5: 361F6774344487264F85A0AEF1F795CB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Nonassimilability184.Twi	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.537805205400.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000006.00000002.533745678739.00000000049B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000006.00000002.533745678739.0000000005541000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000002.537805205400.00000000021F1000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://209.90.233.2/KaXATaApmZMt189.bin#uC	Virustotal: Detection: 11%	Perma Link
Source: http://209.90.233.2/KaXATaApmZMt189.bin#	Virustotal: Detection: 11%	Perma Link
Source: http://209.90.233.2/KaXATaApmZMt189.bin	Virustotal: Detection: 11%	Perma Link
Source: http://209.90.233.2/KaXATaApmZMt189.bin#r	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: 01-05-24 remittance.exe	ReversingLabs: Detection: 23%
Source: 01-05-24 remittance.exe	Virustotal: Detection: 13%			Perma Link

Source: 01-05-24 remittance.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 01-05-24 remittance.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: mshtml.pdbUGP source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_004065DA FindFirstFileW,FindClose,	6_2_004065DA
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004059A9
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_00402868 FindFirstFileW,	6_2_00402868

Source: global traffic

TCP traffic: 192.168.11.30:49879 -> 209.90.233.2:80

Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2
Source: unknown	TCP traffic detected without corresponding DNS query: 209.90.233.2

Source: 01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin#
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin#r
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin#uC
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin7uW
Source: 01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin=
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bin=r
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binKaXATaApmZMt189.bin
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binKaXATaApmZMt189.bin=
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binSu
Source: 01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binW
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bina
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binarz
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.bingu
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binku
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binuu
Source: 01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binv
Source: 01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binx
Source: 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://209.90.233.2/KaXATaApmZMt189.binyu
Source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: 01-05-24 remittance.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000626000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Code function: 6_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0040543E

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Code function: 6_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

6_2_0040336C

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_00404C7B		6_2_00404C7B
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_734B1B5F		6_2_734B1B5F

Source: 01-05-24 remittance.exe

Static PE information: invalid certificate

Source: 01-05-24 remittance.exe, 00000006.00000000.532683922009.00000000007CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelaminiplantation aarbogsudgiverens.exeDVarFileInfo$ vs 01-05-24 remittance.exe
Source: 01-05-24 remittance.exe, 0000000C.00000000.533084216986.00000000007CD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelaminiplantation aarbogsudgiverens.exeDVarFileInfo$ vs 01-05-24 remittance.exe
Source: 01-05-24 remittance.exe	Binary or memory string: OriginalFilenamelaminiplantation aarbogsudgiverens.exeDVarFileInfo$ vs 01-05-24 remittance.exe

Source: 01-05-24 remittance.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.winEXE@3/7@0/1

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

6_2_0040336C

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Code function: 6_2_004046FF GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

6_2_004046FF

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Code function: 6_2_00402104 CoCreateInstance,

6_2_00402104

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File created: C:\Users\user\AppData\Local\disktyper

Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File created: C:\Users\user\AppData\Local\Temp\nsdA07B.tmp

Jump to behavior

Source: 01-05-24 remittance.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 01-05-24 remittance.exe	ReversingLabs: Detection: 23%
Source: 01-05-24 remittance.exe	Virustotal: Detection: 13%

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File read: C:\Users\user\Desktop\01-05-24 remittance.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\01-05-24 remittance.exe "C:\Users\user\Desktop\01-05-24 remittance.exe"
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process created: C:\Users\user\Desktop\01-05-24 remittance.exe "C:\Users\user\Desktop\01-05-24 remittance.exe"
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process created: C:\Users\user\Desktop\01-05-24 remittance.exe "C:\Users\user\Desktop\01-05-24 remittance.exe"	Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Section loaded: srvcli.dll	Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: dirigentstokkens.lnk.6.dr

LNK file: ..\..\..\..\..\Desktop\Udnyttelig.sko

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: 01-05-24 remittance.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: mshtml.pdbUGP source: 01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000006.00000002.533745678739.0000000005541000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.537805205400.00000000021F1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.537805205400.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.533745678739.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Nonassimilability184.Twi, type: DROPPED

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Code function: 6_2_734B1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

6_2_734B1B5F

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File created: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\dirigentstokkens.lnk

Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\01-05-24 remittance.exe TID: 9124	Thread sleep count: 98 > 30			Jump to behavior
Source: C:\Users\user\Desktop\01-05-24 remittance.exe TID: 9124	Thread sleep time: -98000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_004065DA FindFirstFileW,FindClose,	6_2_004065DA
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	6_2_004059A9
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	Code function: 6_2_00402868 FindFirstFileW,	6_2_00402868

Source: 01-05-24 remittance.exe, 0000000C.00000003.533442429749.00000000041CD000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004213000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000003.533442429749.0000000004213000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\01-05-24 remittance.exe	API call chain: ExitProcess graph end node			graph_6-4371
Source: C:\Users\user\Desktop\01-05-24 remittance.exe	API call chain: ExitProcess graph end node			graph_6-4524

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Code function: 6_2_734B1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

6_2_734B1B5F

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

Process created: C:\Users\user\Desktop\01-05-24 remittance.exe "C:\Users\user\Desktop\01-05-24 remittance.exe"

Jump to behavior

Source: C:\Users\user\Desktop\01-05-24 remittance.exe

6_2_0040336C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
01-05-24 remittance.exe	24%	ReversingLabs	Win32.Trojan.Guloader
01-05-24 remittance.exe	14%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binku	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binarz	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bingu	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binuu	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin#uC	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binv	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binyu	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin#uC	12%	Virustotal		Browse
http://209.90.233.2/KaXATaApmZMt189.binKaXATaApmZMt189.bin=	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binx	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binKaXATaApmZMt189.bin	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin=	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin=r	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bina	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin#	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.binSu	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin#	12%	Virustotal		Browse
http://209.90.233.2/KaXATaApmZMt189.binW	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
http://209.90.233.2/	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Virustotal		Browse
http://209.90.233.2/KaXATaApmZMt189.bin	0%	Avira URL Cloud	safe
http://209.90.233.2/KaXATaApmZMt189.bin7uW	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Virustotal		Browse
http://209.90.233.2/KaXATaApmZMt189.bin#r	0%	Avira URL Cloud	safe
http://209.90.233.2/	4%	Virustotal		Browse
http://209.90.233.2/KaXATaApmZMt189.bin	12%	Virustotal		Browse
http://209.90.233.2/KaXATaApmZMt189.bin#r	12%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://209.90.233.2/KaXATaApmZMt189.bingu	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binku	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binarz	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binuu	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binv	01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bin#uC	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binyu	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binKaXATaApmZMt189.bin=	01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binx	01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	01-05-24 remittance.exe	false		high
http://209.90.233.2/KaXATaApmZMt189.binKaXATaApmZMt189.bin	01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000626000.00000020.00000001.01000000.00000008.sdmp	false		high
http://209.90.233.2/KaXATaApmZMt189.bin=	01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bin=r	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gopher.ftp://ftp.	01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bina	01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	01-05-24 remittance.exe, 0000000C.00000001.533087111579.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bin#	01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binSu	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	01-05-24 remittance.exe, 0000000C.00000001.533087111579.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	01-05-24 remittance.exe, 0000000C.00000001.533087111579.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.binW	01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/	01-05-24 remittance.exe, 0000000C.00000003.533442429749.000000000420A000.00000004.00000020.00020000.00000000.sdmp, 01-05-24 remittance.exe, 0000000C.00000002.537816047949.0000000004209000.00000004.00000020.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bin	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bin7uW	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://209.90.233.2/KaXATaApmZMt189.bin#r	01-05-24 remittance.exe, 0000000C.00000002.537816047949.00000000041A8000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
209.90.233.2	unknown	United States		136175	SERVERHOSH-AS-APServerhoshInternetServiceNL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435135
Start date and time:	2024-05-02 07:57:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	01-05-24 remittance.exe
Detection:	MAL
Classification:	mal72.troj.winEXE@3/7@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 44 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): assets.msn.com, ctldl.windowsupdate.com, api.msn.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:02:47	API Interceptor	69x Sleep call for process: 01-05-24 remittance.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SERVERHOSH-AS-APServerhoshInternetServiceNL	87tBuE42ft.exe	Get hash	malicious	Remcos, GuLoader	Browse	209.90.234.20
	http://213.139.205.131/update_ver	Get hash	malicious	Unknown	Browse	213.139.205.131
	http://213.139.205.131/w_ver.dat	Get hash	malicious	Unknown	Browse	213.139.205.131
	http://213.139.205.131/update_ver	Get hash	malicious	Unknown	Browse	213.139.205.131
	ReleaseEvans#27.docm	Get hash	malicious	Unknown	Browse	213.139.205.131
	Application#89.docm	Get hash	malicious	Unknown	Browse	213.139.205.131
	ReleaseEvans#90.docm	Get hash	malicious	Unknown	Browse	213.139.205.131
	qvX9Cyuqyq.exe	Get hash	malicious	PureLog Stealer, Vidar, Xmrig	Browse	213.139.207.234
	G0k5A7CSy7.exe	Get hash	malicious	PureLog Stealer, Xmrig	Browse	213.139.207.234
	UJb7fpXCyP.exe	Get hash	malicious	zgRAT	Browse	213.139.207.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse
	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse
	TomeluxGamex.exe	Get hash	malicious	Unknown	Browse
	TomeluxGamex.exe	Get hash	malicious	Unknown	Browse
	https://meet.servers.getgo.com/opener/e30.eyJpYXQiOjE3MTQ0OTcwOTYsImxhdW5jaFBhcmFtcyI6eyJidWlsZCI6IjE5OTUwIiwidGVsZW1ldHJ5VVJMIjoiaHR0cHM6Ly9sYXVuY2hzdGF0dXMuZ2V0Z28uY29tL2xhdW5jaGVyMi90ZWxlbWV0cnkvaGVscGVyP3Rva2VuPWcybS1yNGFnZXJmbmM4eGM1YnQwb2ZwY2poZC1iMTk5NTAtc2Nsc0pvaW5fYjBmZGI5NjFfNjM2OF80YTU2XzgwMTFfMmI0ZTlmYjEzNmRmIiwiZW5kcG9pbnRQYXJhbXMiOnsiUHJvZHVjdCI6ImcybSIsInNlc3Npb25UcmFja2luZ0lkIjoiY2xzSm9pbi1iMGZkYjk2MS02MzY4LTRhNTYtODAxMS0yYjRlOWZiMTM2ZGYiLCJsYXVuY2hVcmwiOiJtZWV0aW5nP3Nlc3Npb25UcmFja2luZ0lkPWNsc0pvaW4tYjBmZGI5NjEtNjM2OC00YTU2LTgwMTEtMmI0ZTlmYjEzNmRmJmNsaWVudEdlbmVyYXRpb249cm9sbGluZyIsImVudiI6ImxpdmUifX0sInZlcnNpb24iOiIxLjAiLCJmbG93VHlwZSI6ImpvaW4iLCJlbmRwb2ludEZsYXZvciI6eyJmbGF2b3IiOiJuZXV0cm9uIiwiZmxhdm9yRW5mb3JjZWQiOiJ0cnVlIn0sImlzRmxhdm9yRmluYWwiOnRydWV9.e30	Get hash	malicious	Unknown	Browse
	Return-of-Space-Setup.exe	Get hash	malicious	Unknown	Browse
	Launcher.exe	Get hash	malicious	Unknown	Browse
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse
	SenPalia.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	4.021928094887362
Encrypted:	false
SSDEEP:	3:tOmLGty:tOmLGk
MD5:	9B1323CB958B743E5D2DA6EA113669D1
SHA1:	19DFA989495873F9CE1C09DF57429488DCFBEC2F
SHA-256:	D3B25A2E18EDD0F31A3AC4B4CAEC165433EF23FFD8D99D2279B0D4ADC904BC8C
SHA-512:	48714DB0DECB71391544F445086EDF71B9E5A0E4A36BDABE5A8EE3C8AEF2937C8A262944F7ECAD4033A918174B2EC08DD431755DEC6182C8DE266C8EB5A1CE4A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Clock]..Ini=False..

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: MegaUniversesMQ.exe, Detection: malicious, Browse Filename: MegaUniversesMQ.exe, Detection: malicious, Browse Filename: TomeluxGamex.exe, Detection: malicious, Browse Filename: TomeluxGamex.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Return-of-Space-Setup.exe, Detection: malicious, Browse Filename: Launcher.exe, Detection: malicious, Browse Filename: ReturnLegend.exe, Detection: malicious, Browse Filename: SenPalia.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Nonassimilability184.Twi

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	data
Category:	dropped
Size (bytes):	196624
Entropy (8bit):	7.432577496884297
Encrypted:	false
SSDEEP:	3072:PVmWi7Sw8mbUvoFEbdVz3kzmtG1UzA9qq1r/Z:7LIYIEbf3kieUzA911V
MD5:	04EC5EFA35E41202F2E971EFEBFCAE18
SHA1:	4383EAA45289EE2B76EE8765C5757975AA88B7B6
SHA-256:	33FB40069ED0A607DE18113225F2DD7BE2014145B9CC1F6909EE5E0F2FCEDCBA
SHA-512:	E809178FF3FB79D5BED235FE12F5019B527F5E4294CE899464447AEFB640B897A4D1E2554B404FFD85CEB495EDDD406B711B58C67A7207F3A3ADE7E59B87E3FE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Nonassimilability184.Twi, Author: Joe Security
Reputation:	low
Preview:	..............J._.............:..c.3...00.kkkkk...............2.!.h....................................X......??..E........v. .....Y..................M...^.............dddd...0000...............\......................m............====.QQQ.55...........``..*....ll......................)))).....y......................u....3....0000..........g.....f.............9....Q..HH.......0...............pp........'.Z.............................................7................=.........\\..........................B...............O.ll......... ........................................................j..................J...))........FFF.k..22222.nn....IIIII..............................MM.....\\\.............EE..7.WW...........................F....................ooo..............:...III..........---..............................................z..........JJ..~............--.........oo...........aaa................QQ.............................ttttt..................c...........................kk.

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Zilla.Ant

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	data
Category:	dropped
Size (bytes):	80303
Entropy (8bit):	4.608829441578328
Encrypted:	false
SSDEEP:	1536:1VULCFU7kWdjBQ0pDFjXFrMqDiv7oZXeZ:1V6CFU7JdjBQ0pBXFrMhzkXm
MD5:	62749B5B387D6B42CA0AD4A2AECB3A1D
SHA1:	36EF1C2F2A6FEE818320E781611CBEC882CADF4C
SHA-256:	1499CD409C9D8B01938B2D1027E3E29320171592443433061EDF4ED93600542D
SHA-512:	CA25B614097152DF690EB650FCD48BEF1460EE18E09B19A6E791DBD87C2ACA9F6527AB8D34B88CE489A2219F7003CEF66BD2FFCE068C9DDB638D24318CD13431
Malicious:	false
Reputation:	low
Preview:	...66..........P...iiii.sssss.......qqq..............................I.........AA.....w.........A....................4.M....Z......ooooo......T.............\|.$..S.@......\|\|.....P..7.0................+.K....".'''.............................O........o.))...K......................CC.............'..........QQ.....>>>>..I...............RR............................."".NNN...<...........................V..........JJ....mm....IIIII..........'..........v.<........................W..=.......qq...]]...........nn.......L.........qq..........n...........................NN....Z........;;.....xx.........N............w...........2........!!!............................Z....................pp....f..............5."""..............II..................W.hh.........~~~~....7....MMMM...lll..................&.............8...................l......[......<<<<...................rrrr....................................JJJ......~..................1..................!.P.........22....((...>>>..GG.....u.......

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\jammerklagerne.txt

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	415
Entropy (8bit):	4.204022239722021
Encrypted:	false
SSDEEP:	6:KS0EIN5oKkyfsSxpq6EXupLBdhrpb5DizV3TgKqC1KV4wqSblIQJJKNStZ:5os0pq6+uxhrVIJY8NUWgZ
MD5:	08A2560DA55D4CCB74036D06F9CDC622
SHA1:	4BC5B25CB89BB098C14919C8B8B5ED25A961A9C2
SHA-256:	49E6E77BEA0EEBD2CD6BB811D74095918FD0AB7B7132E812D0DE4BC1B16474C4
SHA-512:	1507BD842FEFAF6A60F31FEA5EB5143189E82CED258AA669031A6E13703FB1011AA03B52D1070454E05E8519538A95775AB8DDDDA397B8D322149EA95C7B9E56
Malicious:	false
Reputation:	low
Preview:	infranatural interrogation eksamenssnydere oscillatorer gazebind prparand.snock lanolinets genteel jupiter soliloquize pantstninger djerib dekorhwr kogesprits kontradiktioners reattraction..afgreningers tomatiserede lameet bioassays arryish.testamentsvidnerne eyeletted snoldet,phrenopathic labioplasty deklasseres vacuumised gearstangs,strandingsgodsets stk pagernes fagmesserne understryges brobanen omskiftelser,

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\usynligheden.obj

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	data
Category:	dropped
Size (bytes):	2947
Entropy (8bit):	4.860358963021811
Encrypted:	false
SSDEEP:	48:khllm5UaEEz5jXOFsaiPi+PlAMBSY48IBvCrlxF3uIBBiifFmJhTmbxk:wgUawsaUP6MkBIHzMvJ
MD5:	209D144824A946CD021426B85FFDEB39
SHA1:	8CF1DDF62139D7ABA4700F2E6230A230A6B7E43B
SHA-256:	AEA107E60BC0BEF5E490E77E1CB716B68B50033EEECA50A1FB894FB25C7CF5FB
SHA-512:	BDFB49D66E244CA59E108987B6FB1673C4C3FF389267D96A274422FF8A8FFCB1B23007EC23401FD10EA73BCEC68EFA92F2880C5ED5F1CD4A22E331B310EFF91C
Malicious:	false
Preview:	............................z.........R..=....C........&....(ADna....T..............{s.....B.. o...9...m...............G.........................S.............d..................O....r..........H5.....C.o......]........5...s......................V..."..........=........i.e..d.b\|.......a..l.W....RR.K........@..i..........r.................3.9........,.......\|....%.2...&.....%..............i..6..../............Y.......x.........g....../......E................?............oO6.'.....2...u^.}...............P[.9.....u....R............b......%4....4.....r..\|../.....>...............o......~.....m......`..........w..>.....{............f.........N.Z...........9x.......K....%..u.....,....l.....R.p.......LK...).......;...........\.(.............r..y..9......w.......I.....g............\|.T5.................N.h.=...e.*..y...4..t. .......~...J.......c........................k..F8NZ....(................}.X..<V...B.............C..].-.......s....H.;......z..................%..fq..$..G.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\dirigentstokkens.lnk

Download File

Process:	C:\Users\user\Desktop\01-05-24 remittance.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	858
Entropy (8bit):	3.257101208213004
Encrypted:	false
SSDEEP:	12:8wl040sXUjO/GX1QPZGxKAGxWEQ1AQfdTfzaDjv4t2YCBTo:8UXVeFhWwpe2f2DjlJT
MD5:	E2008AD8A53E91B08980B96A4993A027
SHA1:	94386CFCE278B63F729D6501807B1168F5ED87A3
SHA-256:	03BD0408BFA1C059699A20576589624D7491D322785EDF14BAC786C263B9750D
SHA-512:	28AED3FCB7E23F5851694E005A3A7268416D1C8DA30A58D64BE53FCB425F7FC21BE2B36C346D62A05728CFDFBAC0FB4037482A61AC4135DFC9797E9355BF8D24
Malicious:	false
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................D.y.l.a.n.e.....V.1...........Desktop.@............................................D.e.s.k.t.o.p.....l.2...........Udnyttelig.sko..N............................................U.d.n.y.t.t.e.l.i.g...s.k.o.......%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.U.d.n.y.t.t.e.l.i.g...s.k.o.8.C.:.\.U.s.e.r.s.\.D.y.l.a.n.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.s.k.t.y.p.e.r.\.t.w.i.n.l.y.\.o.l.a.c.a.c.e.a.e.........:..,.LB.)...A'...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.3.................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.362851464764189
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	01-05-24 remittance.exe
File size:	339'552 bytes
MD5:	361f6774344487264f85a0aef1f795cb
SHA1:	69de5995ebfef3f48a97298e4dfc17608585942d
SHA256:	d07298904df26d392ea22c39805a5eac170df9aef797c6a86f885c36cabe7d90
SHA512:	2602c44a212d9b5cb9856f12c7c6c447c268083a180d10c7160dc0a4d97f1e7cf418dc8d00af66ed398d261ae2b68c80d185226705fcbc2051c06e33ff6f7fee
SSDEEP:	6144:bNgoThHBHVJEsjBMlnZcHJFvBenm3ZEDHPZaZofgC8ikdyh+TgYJuNK/s:5VBJEsWxZcHKmJEDHPZ8dC8ikdyETpJS
TLSH:	7774E004AB51DD07EF412A755891F73C6BB49F646D1683039FF8BD9E3A387A0EC8A244
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......\.................d....:....

File Icon


Icon Hash:	073371f36d7d3d03

Static PE Info

General

Entrypoint:	0x40336c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F07 [Sat Dec 15 22:24:07 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Giacopo@Xenopeltidae.Gad, O=Radarskrmenes, OU="Lynlaasen Paliurus Pjkkes ", CN=Radarskrmenes, L=Ancemont, S=Grand Est, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	28/12/2023 08:50:53 27/12/2026 08:50:53
Subject Chain	E=Giacopo@Xenopeltidae.Gad, O=Radarskrmenes, OU="Lynlaasen Paliurus Pjkkes ", CN=Radarskrmenes, L=Ancemont, S=Grand Est, C=FR
Version:	3
Thumbprint MD5:	D9B86C7AF7178A5E3614891B90A1F954
Thumbprint SHA-1:	D4B3431EA3063FDEB760332A8B069A0A44795016
Thumbprint SHA-256:	18D072FB62F79AF70A751C82B0B31EDFCC4BA58B7F4BA7B67F5F5DB78E6DAA9E
Serial:	5B3F512F9CD9906BB7AE68229FDBAB9F8C4B12A4

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007F58E4530E93h
push ebx
call 00007F58E4534145h
cmp eax, ebx
je 00007F58E4530E89h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F58E45340BFh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F58E4530E6Ch
push 0000000Ah
call 00007F58E4534118h
push 00000008h
call 00007F58E4534111h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007F58E4534105h
cmp eax, ebx
je 00007F58E4530E91h
push 0000001Eh
call eax
test eax, eax
je 00007F58E4530E89h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3cd000	0x19b00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x519e8	0x1478	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6400	0x6400	cbfbbc5921ade64132692b17a67e027c	False	0.678359375	data	6.511112273730313	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	ef1be07ca8b096915258569fb3718a3c	False	0.453125	data	5.159710562612049	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	09e0c528682cd2747c63b7ba39c2cc23	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3cd000	0x19b00	0x19c00	71b42186b28675f5e696bb0c8748b976	False	0.4747705552184466	data	5.266134971564984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3cd2c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.43271619543357387
RT_ICON	0x3ddaf0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.5468233349078885
RT_ICON	0x3e1d18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.5839211618257262
RT_ICON	0x3e42c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.6622889305816135
RT_ICON	0x3e5368	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.7176229508196721
RT_ICON	0x3e5cf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7039007092198581
RT_DIALOG	0x3e6158	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3e6258	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3e6378	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3e63d8	0x5a	data	English	United States	0.9444444444444444
RT_VERSION	0x3e6438	0x2a0	data	English	United States	0.4568452380952381
RT_MANIFEST	0x3e66d8	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 08:00:03.037738085 CEST	49879	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:04.051816940 CEST	49879	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:06.067020893 CEST	49879	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:08.067729950 CEST	49880	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:09.081796885 CEST	49880	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:11.097079992 CEST	49880	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:13.097505093 CEST	49881	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:14.112025023 CEST	49881	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:16.127146959 CEST	49881	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:18.130808115 CEST	49882	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:19.142115116 CEST	49882	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:21.157198906 CEST	49882	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:23.158371925 CEST	49883	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:24.172271967 CEST	49883	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:26.187369108 CEST	49883	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:28.187716961 CEST	49885	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:29.202328920 CEST	49885	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:31.217433929 CEST	49885	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:33.264446974 CEST	49886	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:34.279232979 CEST	49886	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:36.294526100 CEST	49886	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:38.294635057 CEST	49887	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:39.309524059 CEST	49887	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:41.324577093 CEST	49887	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:43.325026035 CEST	49888	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:44.339535952 CEST	49888	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:46.354765892 CEST	49888	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:48.356209040 CEST	49889	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:49.369630098 CEST	49889	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:51.384824038 CEST	49889	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:53.385111094 CEST	49890	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:54.399749994 CEST	49890	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:56.414952993 CEST	49890	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:58.415139914 CEST	49891	80	192.168.11.30	209.90.233.2
May 2, 2024 08:00:59.429779053 CEST	49891	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:01.445009947 CEST	49891	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:03.464363098 CEST	49892	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:04.475583076 CEST	49892	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:06.490748882 CEST	49892	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:08.491038084 CEST	49893	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:09.505682945 CEST	49893	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:11.520917892 CEST	49893	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:13.521368980 CEST	49894	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:14.535775900 CEST	49894	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:16.550950050 CEST	49894	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:18.569931984 CEST	49895	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:19.581588030 CEST	49895	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:21.596689939 CEST	49895	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:23.596927881 CEST	49896	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:24.611676931 CEST	49896	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:26.626795053 CEST	49896	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:28.627363920 CEST	49897	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:29.641868114 CEST	49897	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:31.641319990 CEST	49897	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:33.658515930 CEST	49899	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:34.671930075 CEST	49899	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:36.687000990 CEST	49899	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:38.687630892 CEST	49900	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:39.702088118 CEST	49900	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:41.717294931 CEST	49900	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:43.717274904 CEST	49901	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:44.732132912 CEST	49901	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:46.747323036 CEST	49901	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:48.764060020 CEST	49902	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:49.777777910 CEST	49902	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:51.792968035 CEST	49902	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:53.793653011 CEST	49903	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:54.807996035 CEST	49903	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:56.823116064 CEST	49903	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:58.823331118 CEST	49904	80	192.168.11.30	209.90.233.2
May 2, 2024 08:01:59.838004112 CEST	49904	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:01.853221893 CEST	49904	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:03.855895042 CEST	49905	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:04.868108034 CEST	49905	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:06.883398056 CEST	49905	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:08.883622885 CEST	49906	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:09.898257971 CEST	49906	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:11.897878885 CEST	49906	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:13.913662910 CEST	49907	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:14.928352118 CEST	49907	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:16.943499088 CEST	49907	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:18.961740971 CEST	49908	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:19.974158049 CEST	49908	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:21.973750114 CEST	49908	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:23.989995956 CEST	49909	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:25.004240036 CEST	49909	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:27.019450903 CEST	49909	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:29.019752026 CEST	49910	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:30.034393072 CEST	49910	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:32.049501896 CEST	49910	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:34.052370071 CEST	49911	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:35.064456940 CEST	49911	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:37.079710960 CEST	49911	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:39.080131054 CEST	49912	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:40.094567060 CEST	49912	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:42.109714985 CEST	49912	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:44.110186100 CEST	49913	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:45.124684095 CEST	49913	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:47.139878988 CEST	49913	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:49.110898018 CEST	49914	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:50.123528004 CEST	49914	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:52.138752937 CEST	49914	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:54.060915947 CEST	49915	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:55.075535059 CEST	49915	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:57.090789080 CEST	49915	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:58.981971979 CEST	49916	80	192.168.11.30	209.90.233.2
May 2, 2024 08:02:59.996272087 CEST	49916	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:02.011462927 CEST	49916	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:03.888499022 CEST	49917	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:04.901458979 CEST	49917	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:06.916704893 CEST	49917	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:08.760945082 CEST	49918	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:09.775362015 CEST	49918	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:11.790463924 CEST	49918	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:13.603712082 CEST	49919	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:14.618019104 CEST	49919	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:16.633219957 CEST	49919	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:18.432859898 CEST	49920	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:19.444994926 CEST	49920	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:21.460223913 CEST	49920	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:23.210825920 CEST	49921	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:24.225352049 CEST	49921	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:26.240413904 CEST	49921	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:27.976680040 CEST	49922	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:28.989820004 CEST	49922	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:31.005002975 CEST	49922	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:32.717152119 CEST	49923	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:33.723030090 CEST	49923	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:35.738171101 CEST	49923	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:37.426054001 CEST	49924	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:38.440737963 CEST	49924	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:40.455960035 CEST	49924	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:42.112818003 CEST	49925	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:43.127201080 CEST	49925	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:45.142437935 CEST	49925	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:46.784746885 CEST	49926	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:47.798039913 CEST	49926	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:49.813261032 CEST	49926	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:51.422995090 CEST	49927	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:52.437669992 CEST	49927	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:54.452785015 CEST	49927	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:56.047070980 CEST	49928	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:57.061518908 CEST	49928	80	192.168.11.30	209.90.233.2
May 2, 2024 08:03:59.076677084 CEST	49928	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:00.675118923 CEST	49929	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:01.685600042 CEST	49929	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:03.700707912 CEST	49929	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:05.263525963 CEST	49930	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:06.278248072 CEST	49930	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:08.293360949 CEST	49930	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:09.825202942 CEST	49931	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:10.839600086 CEST	49931	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:12.854849100 CEST	49931	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:14.388247967 CEST	49932	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:15.401117086 CEST	49932	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:17.416297913 CEST	49932	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:18.916696072 CEST	49933	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:19.931392908 CEST	49933	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:21.946553946 CEST	49933	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:23.431730986 CEST	49934	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:24.445945978 CEST	49934	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:26.461184978 CEST	49934	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:27.931840897 CEST	49935	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:28.944993973 CEST	49935	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:30.960243940 CEST	49935	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:32.413975954 CEST	49936	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:33.428353071 CEST	49936	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:35.443516970 CEST	49936	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:36.881784916 CEST	49937	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:37.896087885 CEST	49937	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:39.911196947 CEST	49937	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:41.357531071 CEST	49938	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:42.363846064 CEST	49938	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:44.363421917 CEST	49938	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:45.785816908 CEST	49939	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:46.800296068 CEST	49939	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:48.815473080 CEST	49939	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:50.206603050 CEST	49940	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:51.221143961 CEST	49940	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:53.236380100 CEST	49940	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:54.620773077 CEST	49941	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:55.626523972 CEST	49941	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:57.641669989 CEST	49941	80	192.168.11.30	209.90.233.2
May 2, 2024 08:04:59.001368046 CEST	49942	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:00.016156912 CEST	49942	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:02.031270981 CEST	49942	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:03.391364098 CEST	49943	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:04.405668020 CEST	49943	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:06.420855999 CEST	49943	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:07.766817093 CEST	49944	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:08.779653072 CEST	49944	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:10.794773102 CEST	49944	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:12.123711109 CEST	49945	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:13.138138056 CEST	49945	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:15.137588978 CEST	49945	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:16.466105938 CEST	49946	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:17.480812073 CEST	49946	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:19.496004105 CEST	49946	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:20.818660021 CEST	49947	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:21.823542118 CEST	49947	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:23.838738918 CEST	49947	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:25.136179924 CEST	49948	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:26.150780916 CEST	49948	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:28.165904999 CEST	49948	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:29.447705030 CEST	49949	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:30.462239027 CEST	49949	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:32.477417946 CEST	49949	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:33.767421007 CEST	49950	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:34.773799896 CEST	49950	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:36.788989067 CEST	49950	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:38.055295944 CEST	49951	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:39.069710016 CEST	49951	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:41.084894896 CEST	49951	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:42.351521015 CEST	49952	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:43.365571022 CEST	49952	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:45.380732059 CEST	49952	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:46.633110046 CEST	49953	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:47.645884991 CEST	49953	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:49.661037922 CEST	49953	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:50.895946026 CEST	49954	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:51.910495043 CEST	49954	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:53.925704002 CEST	49954	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:55.160641909 CEST	49955	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:56.175158978 CEST	49955	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:58.190396070 CEST	49955	80	192.168.11.30	209.90.233.2
May 2, 2024 08:05:59.425057888 CEST	49956	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:00.439857960 CEST	49956	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:02.455127001 CEST	49956	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:03.674738884 CEST	49957	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:04.688883066 CEST	49957	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:06.704101086 CEST	49957	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:07.907682896 CEST	49958	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:08.922262907 CEST	49958	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:10.937393904 CEST	49958	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:12.152046919 CEST	49959	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:13.155697107 CEST	49959	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:15.170871973 CEST	49959	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:16.374596119 CEST	49960	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:17.389107943 CEST	49960	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:19.404242039 CEST	49960	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:20.592628002 CEST	49961	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:21.591294050 CEST	49961	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:23.606496096 CEST	49961	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:24.822159052 CEST	49962	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:25.824666977 CEST	49962	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:27.839860916 CEST	49962	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:29.012145042 CEST	49963	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:30.026904106 CEST	49963	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:32.042053938 CEST	49963	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:33.214490891 CEST	49964	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:34.229027033 CEST	49964	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:36.244133949 CEST	49964	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:37.403196096 CEST	49965	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:38.415575027 CEST	49965	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:40.430696964 CEST	49965	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:41.587523937 CEST	49966	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:42.602137089 CEST	49966	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:44.617295980 CEST	49966	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:45.773979902 CEST	49967	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:46.788640976 CEST	49967	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:48.803873062 CEST	49967	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:49.952843904 CEST	49968	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:50.959562063 CEST	49968	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:52.974792004 CEST	49968	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:54.115900040 CEST	49969	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:55.130455017 CEST	49969	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:57.145689964 CEST	49969	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:58.286886930 CEST	49970	80	192.168.11.30	209.90.233.2
May 2, 2024 08:06:59.301384926 CEST	49970	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:01.316597939 CEST	49970	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:02.443703890 CEST	49971	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:03.456690073 CEST	49971	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:05.456238985 CEST	49971	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:06.597533941 CEST	49972	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:07.612119913 CEST	49972	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:09.627269983 CEST	49972	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:10.753393888 CEST	49973	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:11.751734972 CEST	49973	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:13.766835928 CEST	49973	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:14.916821003 CEST	49974	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:15.922669888 CEST	49974	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:17.937788010 CEST	49974	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:19.047878981 CEST	49975	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:20.062347889 CEST	49975	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:22.077548981 CEST	49975	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:23.187339067 CEST	49976	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:24.202001095 CEST	49976	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:26.217158079 CEST	49976	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:27.335863113 CEST	49977	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:28.341638088 CEST	49977	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:30.356865883 CEST	49977	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:31.466674089 CEST	49978	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:32.481384039 CEST	49978	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:34.496509075 CEST	49978	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:35.590787888 CEST	49979	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:36.605472088 CEST	49979	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:38.620652914 CEST	49979	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:39.717931986 CEST	49980	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:40.729548931 CEST	49980	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:42.744654894 CEST	49980	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:43.839026928 CEST	49981	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:44.853601933 CEST	49981	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:46.868741035 CEST	49981	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:47.962837934 CEST	49982	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:48.977668047 CEST	49982	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:50.992779970 CEST	49982	80	192.168.11.30	209.90.233.2
May 2, 2024 08:07:55.007581949 CEST	49982	80	192.168.11.30	209.90.233.2

Target ID:	6
Start time:	07:59:16
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\01-05-24 remittance.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\01-05-24 remittance.exe"
Imagebase:	0x400000
File size:	339'552 bytes
MD5 hash:	361F6774344487264F85A0AEF1F795CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.533745678739.00000000049B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.533745678739.0000000005541000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:59:56
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\01-05-24 remittance.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\01-05-24 remittance.exe"
Imagebase:	0x400000
File size:	339'552 bytes
MD5 hash:	361F6774344487264F85A0AEF1F795CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000C.00000002.537805205400.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.537805205400.00000000021F1000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.4%
Total number of Nodes:	1555
Total number of Limit Nodes:	35

Executed Functions

Function 0040336C Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040338F
GetVersion.KERNEL32 ref: 00403395
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033C8
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403405
OleInitialize.OLE32(00000000), ref: 0040340C
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403428
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040343D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\01-05-24 remittance.exe",00000020,"C:\Users\user\Desktop\01-05-24 remittance.exe",00000000,?,00000006,00000008,0000000A), ref: 00403475

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035AF
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035CC
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035E8
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F9
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403601
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403615

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E0
ExitProcess.KERNEL32 ref: 00403701
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403714
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403723
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040372E
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\01-05-24 remittance.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040373A
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403756
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,user32::EnumWindows(i r1 ,i 0),00000008,?,00000006,00000008,0000000A), ref: 004037B0
CopyFileW.KERNEL32(C:\Users\user\Desktop\01-05-24 remittance.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037C4
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037F1
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403820
OpenProcessToken.ADVAPI32(00000000), ref: 00403827
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040383C
AdjustTokenPrivileges.ADVAPI32 ref: 0040385F
ExitWindowsEx.USER32(00000002,80040002), ref: 00403884
ExitProcess.KERNEL32 ref: 004038A7

Strings

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 00403592, 004036B2, 0040375C, 00403766
\Temp, xrefs: 004035C6
Low, xrefs: 004035E2
C:\Users\user\Desktop\01-05-24 remittance.exe, xrefs: 004037BF
user32::EnumWindows(i r1 ,i 0), xrefs: 00403774
~nsu, xrefs: 0040370C
C:\Users\user\AppData\Local\Temp\, xrefs: 004035A4, 004035A9, 004035BF, 004035CB, 004035DA, 004035E7, 004035F3, 004035FB, 00403711, 00403722, 0040372D, 00403739, 00403746, 00403755, 00403806
SeShutdownPrivilege, xrefs: 00403836
.tmp, xrefs: 00403728
1033, xrefs: 00403610
"C:\Users\user\Desktop\01-05-24 remittance.exe", xrefs: 00403443, 00403449, 0040363D
TEMP, xrefs: 004035F4
Error launching installer, xrefs: 00403697
NSIS Error, xrefs: 0040342E
UXTHEME, xrefs: 004033BC, 004033C1, 004033C7
C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 004036BD
TMP, xrefs: 004035FC
C:\Users\user\Desktop, xrefs: 00403733, 00403738, 00403765

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\01-05-24 remittance.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\disktyper\twinly\olacaceae$C:\Users\user\AppData\Local\disktyper\twinly\olacaceae$C:\Users\user\Desktop$C:\Users\user\Desktop\01-05-24 remittance.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu
API String ID: 3441113951-3778628242
Opcode ID: d8beda2cf6d53e1c23663c7b3f0cac31a10eecbcac031cdf32090e7074c6eb08
Instruction ID: 91e47d7dade8a9784fbcad93861d46a8301334ec9f5f2e607ded2091cc9dec5c
Opcode Fuzzy Hash: d8beda2cf6d53e1c23663c7b3f0cac31a10eecbcac031cdf32090e7074c6eb08
Instruction Fuzzy Hash: 04D12671600300ABD720BF719D45B2B3AACEB8174AF00887FF981B62D1DB7D8955876E

Uniqueness

Uniqueness Score: -1.00%

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040549C
GetDlgItem.USER32(?,000003EE), ref: 004054AB
GetClientRect.USER32(?,?), ref: 004054E8
GetSystemMetrics.USER32(00000002), ref: 004054EF
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
ShowWindow.USER32(?,00000008), ref: 0040558B
GetDlgItem.USER32(?,000003EC), ref: 004055AC
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
GetDlgItem.USER32(?,000003F8), ref: 004054BA

Part of subcall function 00404243: SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

GetDlgItem.USER32(?,000003EC), ref: 004055FE
CreateThread.KERNEL32(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
CloseHandle.KERNELBASE(00000000), ref: 00405613
ShowWindow.USER32(00000000), ref: 00405637
ShowWindow.USER32(?,00000008), ref: 0040563C
ShowWindow.USER32(00000008), ref: 00405686
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
CreatePopupMenu.USER32 ref: 004056CB
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
GetWindowRect.USER32(?,?), ref: 004056FF
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
OpenClipboard.USER32(00000000), ref: 00405760
EmptyClipboard.USER32 ref: 00405766
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
GlobalLock.KERNEL32(00000000), ref: 0040577C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
GlobalUnlock.KERNEL32(00000000), ref: 004057B0
SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
CloseClipboard.USER32 ref: 004057C1

Strings

{, xrefs: 004056A4

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
Opcode Fuzzy Hash: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 004059D2
lstrcatW.KERNEL32(007A3F28,\*.*), ref: 00405A1A
lstrcatW.KERNEL32(?,0040A014), ref: 00405A3D
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 00405A43
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 00405A53
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
FindClose.KERNEL32(00000000), ref: 00405B02

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059B7
(?z, xrefs: 00405A02
\*.*, xrefs: 00405A14
"C:\Users\user\Desktop\01-05-24 remittance.exe", xrefs: 004059A9

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\01-05-24 remittance.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1094335627
Opcode ID: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
Opcode Fuzzy Hash: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,?,75393420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75393420), ref: 004065E5
FindClose.KERNEL32(00000000), ref: 004065F1

Strings

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp, xrefs: 004065DA
pOz, xrefs: 004065DB

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp$pOz
API String ID: 2295610775-2097703002
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 004021C3

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\disktyper\twinly\olacaceae
API String ID: 542301482-2587753875
Opcode ID: 0326187cb6f3aa8576298b5e036a2c11f339b3bd0d2bdeb2ff7519c651439843
Instruction ID: 44dbb1f4cc336c57ce2cc8e41acb070c301bef303074bcddb75448daa591af87
Opcode Fuzzy Hash: 0326187cb6f3aa8576298b5e036a2c11f339b3bd0d2bdeb2ff7519c651439843
Instruction Fuzzy Hash: 29413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
ShowWindow.USER32(?), ref: 00403D8E
DestroyWindow.USER32 ref: 00403DA2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
GetDlgItem.USER32(?,?), ref: 00403DDF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
IsWindowEnabled.USER32(00000000), ref: 00403DFA
GetDlgItem.USER32(?,00000001), ref: 00403EA8
GetDlgItem.USER32(?,00000002), ref: 00403EB2
SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F1D
GetDlgItem.USER32(?,00000003), ref: 00403FC3
ShowWindow.USER32(00000000,?), ref: 00403FE4
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FF6
EnableWindow.USER32(?,?), ref: 00404011
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404027
EnableMenuItem.USER32(00000000), ref: 0040402E
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404046
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
SetWindowTextW.USER32(?,007A1F20), ref: 00404097
ShowWindow.USER32(?,0000000A), ref: 004041CB

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
Opcode Fuzzy Hash: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

lstrcatW.KERNEL32(1033,007A1F20), ref: 00403A08
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\disktyper\twinly\olacaceae,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A88
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\disktyper\twinly\olacaceae,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
GetFileAttributesW.KERNEL32(Call), ref: 00403AA6
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\disktyper\twinly\olacaceae), ref: 00403AEF

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

RegisterClassW.USER32(007A79C0), ref: 00403B2C
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
ShowWindow.USER32(00000005,00000000), ref: 00403BAF
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
RegisterClassW.USER32(007A79C0), ref: 00403BF1
DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10

Strings

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 00403A17, 00403A1F, 00403AC2, 00403AC8, 00403AD8
Control Panel\Desktop\ResourceLocale, xrefs: 004039BB
C:\Users\user\AppData\Local\Temp\, xrefs: 00403993
RichEdit20W, xrefs: 00403BD3, 00403BD9
_Nb, xrefs: 00403B0B, 00403B73
1033, xrefs: 004039A7, 00403A03
"C:\Users\user\Desktop\01-05-24 remittance.exe", xrefs: 0040398B
.DEFAULT\Control Panel\International, xrefs: 004039F3
RichEdit, xrefs: 00403BE2
.exe, xrefs: 00403A95
RichEd32, xrefs: 00403BC3
RichEd20, xrefs: 00403BB5
Call, xrefs: 00403A4F, 00403A58, 00403A66, 00403AB5, 00403ABB

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\01-05-24 remittance.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\disktyper\twinly\olacaceae$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3154412501
Opcode ID: 5efdd576b0375bd94a8dbc7a0fdf9f518553da7ec9f32726dc5b61ea38774d75
Instruction ID: 5f7f018ee7b38579f5aecc952839a0aab634e672fc23aff8223df5b191a74692
Opcode Fuzzy Hash: 5efdd576b0375bd94a8dbc7a0fdf9f518553da7ec9f32726dc5b61ea38774d75
Instruction Fuzzy Hash: 1761A374200700AED620AF669D45F2B3A6CEB86B45F40857FF942B62E2DB7D5901CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EEE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\01-05-24 remittance.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\01-05-24 remittance.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\01-05-24 remittance.exe,C:\Users\user\Desktop\01-05-24 remittance.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56

Strings

soft, xrefs: 00402FCB
C:\Users\user\Desktop\01-05-24 remittance.exe, xrefs: 00402EF4, 00402F03, 00402F17, 00402F37
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EE7
Inst, xrefs: 00402FC2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
vy, xrefs: 00402F6B
"C:\Users\user\Desktop\01-05-24 remittance.exe", xrefs: 00402EDD
C:\Users\user\Desktop, xrefs: 00402F38, 00402F3D, 00402F43
Error launching installer, xrefs: 00402F2D
Null, xrefs: 00402FD4

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\01-05-24 remittance.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\01-05-24 remittance.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-4002130044
Opcode ID: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction ID: 6efc7070ea8ae83888cd6b0cd51e2fb70848d81e0c864f736895acd6ba0a04dc
Opcode Fuzzy Hash: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
Instruction Fuzzy Hash: 6251C271901208ABDB20AF65DD85BAE7FA8EB05355F10807BF904B62D5DB7C8E408B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063FA
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 0040640D
SHGetSpecialFolderLocation.SHELL32(00405336,007926D8,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 00406449
SHGetPathFromIDListW.SHELL32(007926D8,Call), ref: 00406457
CoTaskMemFree.OLE32(007926D8), ref: 00406462
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
lstrlenW.KERNEL32(Call,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 004064E0

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 004064B6
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063CA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406482
Call, xrefs: 004062E3, 004063BE, 004063C5, 004063C9, 004063E3, 004063E4, 004063F9, 0040640C, 00406428, 00406453, 00406487, 0040648D, 004064A9, 004064BC, 004064D9, 004064DF, 004064EB, 0040651E

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 717251189-3319343437
Opcode ID: c5f288c51163dcb21805239af0cd7de892ba1a406cc9b333ec752c201d2fd575
Instruction ID: ad54f5a0451019572b14835e242786a4a9a111c9f12b884a772ad5635cf5c1ab
Opcode Fuzzy Hash: c5f288c51163dcb21805239af0cd7de892ba1a406cc9b333ec752c201d2fd575
Instruction Fuzzy Hash: D0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\disktyper\twinly\olacaceae,?,?,00000031), ref: 004017D5

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00,00000000,007926D8,753923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,007A0F00,00000000,007926D8,753923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,00403257), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Strings

Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsiAADD.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp$C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll$C:\Users\user\AppData\Local\disktyper\twinly\olacaceae$Call
API String ID: 1941528284-4156782007
Opcode ID: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
Opcode Fuzzy Hash: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004052FF Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(007A0F00,00000000,007926D8,753923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
lstrlenW.KERNEL32(00403257,007A0F00,00000000,007926D8,753923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
lstrcatW.KERNEL32(007A0F00,00403257), ref: 0040535A
SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
Opcode Fuzzy Hash: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
wsprintfW.USER32 ref: 00406653
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406667

Strings

\, xrefs: 00406629
UXTHEME, xrefs: 0040660A
%s%S.dll, xrefs: 0040664D

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403180
GetTickCount.KERNEL32 ref: 00403204
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 0040322D
wsprintfW.USER32 ref: 00403240

Strings

... %d%%, xrefs: 0040323A

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction ID: 204c6f4639eb8c290f7f343d6ac391169eef919077521cdf394e4ce58078bb87
Opcode Fuzzy Hash: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
Instruction Fuzzy Hash: 7A518931900219EBCB10DF65DA84A9F7FA8AB44366F1441BBED14B62C0D7789F50CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
GetLastError.KERNEL32 ref: 00405825
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
GetLastError.KERNEL32 ref: 00405844

Strings

C:\Users\user\Desktop, xrefs: 004057CE

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3443045126
Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction ID: 01ea3c1de2a05013c1d67d3c9518431b7dffb81e47bf32f25e54335cbdd49c10
Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
Instruction Fuzzy Hash: D2010872C10219DADF00AFA1C9447EFBBB8EF14305F00803AD945B6280E77896188FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405DDA
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\01-05-24 remittance.exe",0040336A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75393420,004035B6), ref: 00405DF5

Strings

nsa, xrefs: 00405DC9
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC1, 00405DC5
"C:\Users\user\Desktop\01-05-24 remittance.exe", xrefs: 00405DBC

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\01-05-24 remittance.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1787576071
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 734B1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 734B1B5F: GlobalFree.KERNEL32(?), ref: 734B1DB2
Part of subcall function 734B1B5F: GlobalFree.KERNEL32(?), ref: 734B1DB7
Part of subcall function 734B1B5F: GlobalFree.KERNEL32(?), ref: 734B1DBC

GlobalFree.KERNEL32(00000000), ref: 734B1825
FreeLibrary.KERNEL32(?), ref: 734B18AB
GlobalFree.KERNEL32(00000000), ref: 734B18D0

Part of subcall function 734B2352: GlobalAlloc.KERNEL32(00000040,?), ref: 734B2383

Part of subcall function 734B2724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,734B17F6,00000000), ref: 734B27F4

Part of subcall function 734B15C6: wsprintfW.USER32 ref: 734B15F4

Strings

, xrefs: 734B18B1

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 80233c4d68c1520ff18218708e048ee8250296dc4aa92d6e73b882237df4fdb4
Instruction ID: 366bb2ce91b4f3d03270e34354f4e81002db975c57a33fa605e261ab3d1f1ff1
Opcode Fuzzy Hash: 80233c4d68c1520ff18218708e048ee8250296dc4aa92d6e73b882237df4fdb4
Instruction Fuzzy Hash: BE41BF72400388DBEB0D9F749884B8637FEBB05350F184569E90BAA2C6DB7C8585C778

Uniqueness

Uniqueness Score: -1.00%

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 0040242F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp, xrefs: 00402420, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp
API String ID: 2655323295-1538913942
Opcode ID: e4c63a464812e31c68653a2d561002cfdcec3cddba2e48d4c9e2fa9e1af61684
Instruction ID: 82080937d165882f0efaaa77ae0bb3c7350c3cd8b3028382441b60bd8f3f090b
Opcode Fuzzy Hash: e4c63a464812e31c68653a2d561002cfdcec3cddba2e48d4c9e2fa9e1af61684
Instruction Fuzzy Hash: 60118171D00104BEEF10AFA5DE89EAEBAB4EB44754F11803BF504B71D1DBB88D419B28

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,?,75393420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004057CE: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\disktyper\twinly\olacaceae,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 00401640

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\disktyper\twinly\olacaceae
API String ID: 1892508949-2587753875
Opcode ID: 54df887ae09462074095b126549abc23ab63c7b2394cf9b5eb7ef3472ce62764
Instruction ID: 83f66e59323efd8676d207054edf3c08df55f1f8244358cc2c8da33562713246
Opcode Fuzzy Hash: 54df887ae09462074095b126549abc23ab63c7b2394cf9b5eb7ef3472ce62764
Instruction Fuzzy Hash: 1811D031504500EBCF20BFA1CD0199E36A0EF15329B28493FFA45B22F1DB3E89919A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063D9,80000002), ref: 004061AB
RegCloseKey.ADVAPI32(?,?,004063D9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 004061B6

Strings

Call, xrefs: 0040616C

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: f8c60df0673843c4a96ed35a73ceba2ba355a7ad566f59c539dda5576aee505e
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301BC72500219EADF21CF50CC09EDB3BA8EB04360F01803AFD16A6191E778D964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00,00000000,007926D8,753923A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,007A0F00,00000000,007926D8,753923A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,00403257), ref: 0040535A
Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 5475f02f106110a916f15ee9ab206587335882ec0c1efca6123a78a63609b3d2
Instruction ID: 589db8f59639f89aa10495d7cc04380c60c8a7cdceb46225d1e949d191b74c22
Opcode Fuzzy Hash: 5475f02f106110a916f15ee9ab206587335882ec0c1efca6123a78a63609b3d2
Instruction Fuzzy Hash: 51218071D00205AACF20AFA5CE4999E7A70BF04358F74813BF511B51E0DBBD8991DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 2817fdc1b453530556b1233eeb78b93eab19bad1ba8c502dca76499b0c80bb5e
Instruction ID: 1ba22ac92ecf447665b3913d31df39b0814a7bcf15a964c104b9173a467dca89
Opcode Fuzzy Hash: 2817fdc1b453530556b1233eeb78b93eab19bad1ba8c502dca76499b0c80bb5e
Instruction Fuzzy Hash: 2A119431910205EBDB14DFA4CA585AE77B4FF44348F20843FE445B72C0D6B85A41EB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00406671 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
GetProcAddress.KERNEL32(00000000,?), ref: 0040669E

Part of subcall function 00406601: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
Part of subcall function 00406601: wsprintfW.USER32 ref: 00406653
Part of subcall function 00406601: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406667

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction ID: f8cbec149f8048a337a195de8e089d72e19c2715f3a6386891d9cbb614a09016
Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
Instruction Fuzzy Hash: D3E08C326042116AD7119A709E4497B66AC9A89740307883EFD46F2181EB3A9C31AAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D8D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\01-05-24 remittance.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 0040584B Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 00405851
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040585F

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 569726fefb5a692a208b00f3c4627a0038051db83374957b12f20e82e1ac62f2
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 97C08C71211501DAC7002F318F08B073A50AB20340F15883DA64AE00E0CA308024D92D

Uniqueness

Uniqueness Score: -1.00%

Function 734B2AAC Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 734B2B6B

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d7d071040fb5e7688600ba4bceea338b333f77276193f84f8ba1b99dfb33a088
Instruction ID: 6e67eaf2298aa8d01552d8603aa408b4ab40145923f2941e85042baeaf398229
Opcode Fuzzy Hash: d7d071040fb5e7688600ba4bceea338b333f77276193f84f8ba1b99dfb33a088
Instruction Fuzzy Hash: DB41C9B250438CDFEB2DEF65D981749B7B9FB08314F30485AE509E6240E63D9885CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 247614074387ddf49fb34d9eb779133587ab9651d842078511bd8ab1cd59351b
Instruction ID: 16c808a3fa43409a0dace5e722657a1cb802c7d5bfe56f7f9e84e6d94f05a41a
Opcode Fuzzy Hash: 247614074387ddf49fb34d9eb779133587ab9651d842078511bd8ab1cd59351b
Instruction Fuzzy Hash: 37F09031A08520A3DB20BBA54F4DD5F22509F82368B28473BF512B21E0DAFCC541996E

Uniqueness

Uniqueness Score: -1.00%

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 0b7865f55a797e749d08424de9efac2c318f559da3342da8896f4518619f0d19
Instruction ID: 3ba1a586ac1cc8d3ea25a0795e598956c64e687a6a58d5eb07b83777971078e7
Opcode Fuzzy Hash: 0b7865f55a797e749d08424de9efac2c318f559da3342da8896f4518619f0d19
Instruction Fuzzy Hash: F7E06D71E00104ABD710DBA5AE098BEB768EB84308B24803BF201F50D1CA7909119F2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 5fb29c7ac6bd4be6067060594f6abdd8dc98f2d64ebda3ebf196088e56367313
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Uniqueness

Uniqueness Score: -1.00%

Function 00406132 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040615B

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 5f0451bdd463ed866e2305ac1dfee878cc5b4d333075ebda4e05e47d22d2a603
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 6BE0E672110109BEDF099F50DD0AD7B371DE704304F01452EFA06D5051E6B5AD305674

Uniqueness

Uniqueness Score: -1.00%

Function 00405E10 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403321,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E24

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 994fac52afecd872c6575aa209eb3fbbfd601c2a51b89c6ee9ed5d101180f43c
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 93E08C3220525AABCF109F51CC04EEB3B6CEB04360F000832FD98E2040D230EA219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032D7,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E53

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 720248cc98aac2988b2abacb793a2dea5f933c74ab6652834825bf215bbdf934
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 72E08C3220025AABCF109F60DC00AEB3B6CFB007E0F048432F951E3040D230EA208FE4

Uniqueness

Uniqueness Score: -1.00%

Function 734B2993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(734B505C,00000004,00000040,734B504C), ref: 734B29B1

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e52a294c4c4c7ba609f25ff3998f4d2f43518edcf4e2ad841d83893dcfaa5585
Instruction ID: ce3446271401e485cb8da3b6af41d19d920ea662138ae86237fce99fa0709d66
Opcode Fuzzy Hash: e52a294c4c4c7ba609f25ff3998f4d2f43518edcf4e2ad841d83893dcfaa5585
Instruction Fuzzy Hash: C6F0A5F2604280DFC399EF2A9484709BBF0BB1A304B2445AAE19CF6242F3344844CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 02063b2f2a15e35aa2e5cb5be45ce6d3182860571126b7350f2cc0bbe7027d05
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 02063b2f2a15e35aa2e5cb5be45ce6d3182860571126b7350f2cc0bbe7027d05
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Uniqueness

Uniqueness Score: -1.00%

Function 00406104 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,00406192,007A0F00,00000000,?,?,Call,?), ref: 00406128

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 68c61e8d1810f1ea9cab55705828a401d3ebcdae1eadef42580152fd7570d6fd
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 4BD0123204020EBBDF11AE909D01FAB3B1DEB08350F014826FE06A80A2D776D530AB54

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 99b224af46cdf8f89f3b15e0f2cf225334fcfe2526a8f22c9c92f8a7263cf905
Instruction ID: c073ba0ee5163cb04706f99935c2f3c73a5a9b1a05bee32f9da8622fc5c815d0
Opcode Fuzzy Hash: 99b224af46cdf8f89f3b15e0f2cf225334fcfe2526a8f22c9c92f8a7263cf905
Instruction Fuzzy Hash: 68D01272B04100D7DB50DBE4AF4899D73A4AB84369B348577E102F11D0DAB9D9515B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040420E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,00000000), ref: 00404228

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: e97594aea4ef24126c33863332ae7c1030a5f9b1799084ec29790e1dd493689a
Instruction ID: 63b891754011e440e0d94daa841b92641dfd50a55b594a1260e2d23e33f8b36d
Opcode Fuzzy Hash: e97594aea4ef24126c33863332ae7c1030a5f9b1799084ec29790e1dd493689a
Instruction Fuzzy Hash: 83C04C7A548200BFD641B755CC42F1FB7DDEF94316F11C52EB69CA11D1C63584309B26

Uniqueness

Uniqueness Score: -1.00%

Function 0040425A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction ID: 075ccd8dd3a5a116662ee2c7ada5c50e1725780f7e4f2104ac300affc7ba1253
Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction Fuzzy Hash: 09C04CB1744201AADE108B609D45F0777585790740F158569B350E50E4C674E450D62D

Uniqueness

Uniqueness Score: -1.00%

Function 00404243 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040406E), ref: 00404251

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00403324 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403332

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404007), ref: 0040423A

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4484e40c8847390ad24901e1c64382b1b039e93175f5d76bb293bea36d4a14a5
Instruction ID: a51ecd0892fb275ea92473d319bbbc5ec4fc6164fb370921ec18ec876cc9dfbc
Opcode Fuzzy Hash: 4484e40c8847390ad24901e1c64382b1b039e93175f5d76bb293bea36d4a14a5
Instruction Fuzzy Hash: A6D05E73E142008BD750DBB8BA8945E73A8F781319320C83BE102F1191E97888524A2D

Uniqueness

Uniqueness Score: -1.00%

Function 734B121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,734B123B,?,734B12DF,00000019,734B11BE,-000000A0), ref: 734B1225

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: e3df1a54f6180cf51553e1234f66b171a7e166b3ec0564ff8b2ae84e522e09d6
Instruction ID: 153aa82d1b3e82f889a689e5eb6ad123620cf103be6234e7086e3a8fbe80ec8e
Opcode Fuzzy Hash: e3df1a54f6180cf51553e1234f66b171a7e166b3ec0564ff8b2ae84e522e09d6
Instruction Fuzzy Hash: 1EB012B2A00000DFEE04AB65CC06F3432D4E700301F144040F608F0280E1204C008534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C93
GetDlgItem.USER32(?,00000408), ref: 00404C9E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
LoadBitmapW.USER32(0000006E), ref: 00404CFB
SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
DeleteObject.GDI32(00000000), ref: 00404D71
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
ShowWindow.USER32(?,00000005), ref: 00404ECB
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
ImageList_Destroy.COMCTL32(?), ref: 0040509B
GlobalFree.KERNEL32(?), ref: 004050AB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
InvalidateRect.USER32(?,00000000,00000001), ref: 004051FC
ShowWindow.USER32(?,00000000), ref: 0040524A
GetDlgItem.USER32(?,000003FE), ref: 00405255
ShowWindow.USER32(00000000), ref: 0040525C

Strings

M, xrefs: 00404E25
N, xrefs: 00404F06
, xrefs: 00405234

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
Opcode Fuzzy Hash: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046FF Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040474E
SetWindowTextW.USER32(00000000,?), ref: 00404778
SHBrowseForFolderW.SHELL32(?), ref: 00404829
CoTaskMemFree.OLE32(00000000), ref: 00404834
lstrcmpiW.KERNEL32(Call,007A1F20,00000000,?,?), ref: 00404866
lstrcatW.KERNEL32(?,Call), ref: 00404872
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884

Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4

Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\01-05-24 remittance.exe",00403347,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
Part of subcall function 0040652B: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\01-05-24 remittance.exe",00403347,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
Part of subcall function 0040652B: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\01-05-24 remittance.exe",00403347,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,00000001,0079FEF0,?,?,000003FB,?), ref: 00404947
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962

Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae, xrefs: 0040484F
user32::EnumWindows(i r1 ,i 0), xrefs: 00404718
A, xrefs: 00404822
Call, xrefs: 00404860, 00404865, 00404870

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\disktyper\twinly\olacaceae$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 2624150263-817482787
Opcode ID: 16a3f34e9c3bfdbf9074f5d43187f1c0d54a2133e025b4be6914448f46c61fd0
Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
Opcode Fuzzy Hash: 16a3f34e9c3bfdbf9074f5d43187f1c0d54a2133e025b4be6914448f46c61fd0
Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 734B1B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 734B121B: GlobalAlloc.KERNELBASE(00000040,?,734B123B,?,734B12DF,00000019,734B11BE,-000000A0), ref: 734B1225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 734B1C6B
lstrcpyW.KERNEL32(00000008,?), ref: 734B1CB3
lstrcpyW.KERNEL32(00000808,?), ref: 734B1CBD
GlobalFree.KERNEL32(00000000), ref: 734B1CD0
GlobalFree.KERNEL32(?), ref: 734B1DB2
GlobalFree.KERNEL32(?), ref: 734B1DB7
GlobalFree.KERNEL32(?), ref: 734B1DBC
GlobalFree.KERNEL32(00000000), ref: 734B1FA6
lstrcpyW.KERNEL32(?,?), ref: 734B2140
GetModuleHandleW.KERNEL32(00000008), ref: 734B21B5
LoadLibraryW.KERNEL32(00000008), ref: 734B21C6
GetProcAddress.KERNEL32(?,?), ref: 734B2220
lstrlenW.KERNEL32(00000808), ref: 734B223A

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 9a7b6cbadfc96cf87d0680c6d503cac5faa8c9f2370ba2a14ec34074a2b6a1bd
Instruction ID: 80d748ecb141f4818e0ccd4e82c4110e0f0e3c86926387c432e839b0c08c6172
Opcode Fuzzy Hash: 9a7b6cbadfc96cf87d0680c6d503cac5faa8c9f2370ba2a14ec34074a2b6a1bd
Instruction Fuzzy Hash: 72229C71D0424ADFDB1A9FA4C5847EEB7FAFB04305F14452ED1A6E3280D7789A81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 512375b0d91e1f35eaafe1d2d9ea6627de5ab3dbf7b488781e982afef0b9970b
Instruction ID: f65ff15fdb1f10fb5373ba158cef8787300933468326e23b7288bb8c2237705b
Opcode Fuzzy Hash: 512375b0d91e1f35eaafe1d2d9ea6627de5ab3dbf7b488781e982afef0b9970b
Instruction Fuzzy Hash: 87F0E271A10000ABCB00EFA0D9099ADB378EF04314F20417BF401F21D0DBB85D409B2A

Uniqueness

Uniqueness Score: -1.00%

Function 004043CD Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040446B
GetDlgItem.USER32(?,000003E8), ref: 0040447F
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040449C
GetSysColor.USER32(?), ref: 004044AD
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
lstrlenW.KERNEL32(?), ref: 004044CE
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
GetDlgItem.USER32(?,0000040A), ref: 00404549
SendMessageW.USER32(00000000), ref: 00404550
GetDlgItem.USER32(?,000003E8), ref: 0040457B
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
SetCursor.USER32(00000000), ref: 004045CF
LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
SetCursor.USER32(00000000), ref: 004045EB
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040461A
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C

Strings

DC@, xrefs: 004045D7
N, xrefs: 00404569
Call, xrefs: 004045AA

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$DC@$N
API String ID: 3103080414-3199507676
Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040607E,?,?), ref: 00405F1E
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27

Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
wsprintfA.USER32 ref: 00405F62
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F9D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FAC
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE4
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
GlobalFree.KERNEL32(00000000), ref: 0040604B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406052

Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\01-05-24 remittance.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3

Strings

%ls=%ls, xrefs: 00405F58
[Rename], xrefs: 00405FCC, 00405FDE

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
Opcode Fuzzy Hash: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD

Uniqueness

Uniqueness Score: -1.00%

Function 0040652B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\01-05-24 remittance.exe",00403347,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\01-05-24 remittance.exe",00403347,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\01-05-24 remittance.exe",00403347,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5

Strings

*?|<>/":, xrefs: 0040657D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040652C, 00406531
"C:\Users\user\Desktop\01-05-24 remittance.exe", xrefs: 0040652B

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\01-05-24 remittance.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-557573892
Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD

Uniqueness

Uniqueness Score: -1.00%

Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404292
GetSysColor.USER32(00000000), ref: 004042D0
SetTextColor.GDI32(?,00000000), ref: 004042DC
SetBkMode.GDI32(?,?), ref: 004042E8
GetSysColor.USER32(?), ref: 004042FB
SetBkColor.GDI32(?,?), ref: 0040430B
DeleteObject.GDI32(?), ref: 00404325
CreateBrushIndirect.GDI32(?), ref: 0040432F

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
GetMessagePos.USER32 ref: 00404BEC
ScreenToClient.USER32(?,?), ref: 00404C06
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E

Strings

f, xrefs: 00404C1A

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 734B161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,734B21EC,?,00000808), ref: 734B1635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,734B21EC,?,00000808), ref: 734B163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,734B21EC,?,00000808), ref: 734B1650
GetProcAddress.KERNEL32(!Ks,00000000), ref: 734B1657
GlobalFree.KERNEL32(00000000), ref: 734B1660

Strings

!Ks, xrefs: 734B1653

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: !Ks
API String ID: 1148316912-3360791529
Opcode ID: 43d70df50eb7b9c922b1358ed9c4489389e83d80f944fef2a2e47cdfdf603581
Instruction ID: c02cf8dc1ae217fb5b1a78a6740574f76ff15960f406f07f7e92bdbccf3d942f
Opcode Fuzzy Hash: 43d70df50eb7b9c922b1358ed9c4489389e83d80f944fef2a2e47cdfdf603581
Instruction Fuzzy Hash: 35F0AC7320A1387BD6212AA78C4CD9BBE9CDF8B2F5B210215F62CA229096615D11D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
MulDiv.KERNEL32(000517DD,00000064,00052E60), ref: 00402E3C
wsprintfW.USER32 ref: 00402E4C
SetWindowTextW.USER32(?,?), ref: 00402E5C
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E

Strings

verifying installer: %d%%, xrefs: 00402E46

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 6965d9c5c48a28546e9d20d127b94d49c3901fd75ac404c7f7ea7b44a32dc8c3
Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
Opcode Fuzzy Hash: 6965d9c5c48a28546e9d20d127b94d49c3901fd75ac404c7f7ea7b44a32dc8c3
Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58

Uniqueness

Uniqueness Score: -1.00%

Function 734B2569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 734B121B: GlobalAlloc.KERNELBASE(00000040,?,734B123B,?,734B12DF,00000019,734B11BE,-000000A0), ref: 734B1225

GlobalFree.KERNEL32(?), ref: 734B2657
GlobalFree.KERNEL32(00000000), ref: 734B268C

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 54b5263b17de8a8c7696550ee0c9f4aa3d0d60948bc6deec83ceacf39bb52ae2
Instruction ID: 98ecb5d9063be10faf8ce8880befcee91aef8b4d47af8774fbbcc5f65b533841
Opcode Fuzzy Hash: 54b5263b17de8a8c7696550ee0c9f4aa3d0d60948bc6deec83ceacf39bb52ae2
Instruction Fuzzy Hash: 89311E32104199DFD71E9F68C894F2ABBFAFB85304724056DF556A3270D7389816CB39

Uniqueness

Uniqueness Score: -1.00%

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction ID: 9b62f472eb3a95df078ad497759be9c31f6c15c11f60cf08f6005a6c9cb4e6e4
Opcode Fuzzy Hash: 4c7fd7b1f91375a2558ff4a0a047554b9ac13023ec1a621a7b7447f5a49afdce
Instruction Fuzzy Hash: 9921BFB1C00128BBCF116FA5DE49D9E7E79EF09364F14423AF960762E0CB794C419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A
C:\Users\user\AppData\Local\Temp\nsiAADD.tmp, xrefs: 004025E1

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp$C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll
API String ID: 3109718747-2028760050
Opcode ID: b41912cbdb43ef931572453ff51d24b216cae1fafc2a6b10ba58868b50a2d1d4
Instruction ID: 4bb1670e371a3de23f361dcee459543bcfcf4636ee0f51b5b5a9e7d0ab821041
Opcode Fuzzy Hash: b41912cbdb43ef931572453ff51d24b216cae1fafc2a6b10ba58868b50a2d1d4
Instruction Fuzzy Hash: DB11CB72A05300BEDB046FB18E8999F7664AF54399F20843FF502F61D1D9FC89415B5E

Uniqueness

Uniqueness Score: -1.00%

Function 734B2394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 734B24D6

Part of subcall function 734B122C: lstrcpynW.KERNEL32(00000000,?,734B12DF,00000019,734B11BE,-000000A0), ref: 734B123C

GlobalAlloc.KERNEL32(00000040), ref: 734B245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 734B2477

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 2b9bbae1cc9d5e5ad7db6281394eb7974648bdb4974824f226939303a966af66
Instruction ID: 5fb132a8b46fa13fafb6fa91cd36d13e7c2c14b9b8e878026ce13ae22f719c40
Opcode Fuzzy Hash: 2b9bbae1cc9d5e5ad7db6281394eb7974648bdb4974824f226939303a966af66
Instruction Fuzzy Hash: FB41BEB1004389EFE31CAF35D844B6677F9FB48310F10491DE45A96A81EB78A845CB79

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 9f3e8361c5455c25eedd40ad678b741ea6618978e593034b97affd3e1747e9e4
Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
Opcode Fuzzy Hash: 9f3e8361c5455c25eedd40ad678b741ea6618978e593034b97affd3e1747e9e4
Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18

Uniqueness

Uniqueness Score: -1.00%

Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
wsprintfW.USER32 ref: 00404B65
SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78

Strings

%u.%u%s%s, xrefs: 00404B46

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 8e1849089d1706092538d53dcc1b09932bb61135a47c912d96c06dfbe26bc751
Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
Opcode Fuzzy Hash: 8e1849089d1706092538d53dcc1b09932bb61135a47c912d96c06dfbe26bc751
Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405C17 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,?,75393420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 00405C25
CharNextW.USER32(00000000), ref: 00405C2A
CharNextW.USER32(00000000), ref: 00405C42

Strings

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp, xrefs: 00405C18

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp
API String ID: 3213498283-1538913942
Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction ID: 6a9d977fbe5713998eb834b7ad01fe533960ca492682b5c2b36711c34b001c28
Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
Instruction Fuzzy Hash: DDF0F061808B1095FB3176644C88E7B66BCEB55360B04803BE641B72C0D3B84DC18EAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405B6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 00405B72
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75393420,004035B6,?,00000006,00000008,0000000A), ref: 00405B7C
lstrcatW.KERNEL32(?,0040A014), ref: 00405B8E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6C

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-787714339
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 803477e47080facc391f0cecd2807ccdb00b9d1fdb40608b9d44cb66137c19bb
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: 3BD0A731501A30AAC111BB449D04DDF72ACDE45304342047FF101B31A2C7BC2D5287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
GetTickCount.KERNEL32 ref: 00402EAA
CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4

Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,?,75393420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 00405C25
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,?,75393420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75393420,00000000), ref: 00405CCD
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,C:\Users\user\AppData\Local\Temp\nsiAADD.tmp,?,?,75393420,004059C9,?,C:\Users\user\AppData\Local\Temp\,75393420), ref: 00405CDD

Strings

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp, xrefs: 00405C7A, 00405C7F, 00405C85, 00405CC6, 00405CCC, 00405CD4, 00405CDC

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsiAADD.tmp
API String ID: 3248276644-1538913942
Opcode ID: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
Opcode Fuzzy Hash: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405273 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004052A2
CallWindowProcW.USER32(?,?,?,?), ref: 004052F3

Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C

Strings

, xrefs: 00405283

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
Instruction ID: beea61cd65c8703650dc93cdae6e0720761c29505c5582e3341eda9a3c117467
Opcode Fuzzy Hash: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
Instruction Fuzzy Hash: BD01BC71200608AFEB208F11DD80AAB3B25EF85355F20807FFA01761D0C73A8C919F2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
CloseHandle.KERNEL32(?), ref: 004058B6

Strings

Error launching installer, xrefs: 00405893

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: b039bfc1fd8153a77b97507ee8e8b42fe9752dbefc529c56e43fdfa491991b30
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: 6CE0B6F5600209BFFB00AF64ED09E7B7BACEB58605F058525BD51F2290D6B998148A78

Uniqueness

Uniqueness Score: -1.00%

Function 004038F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75393420,004038CA,004036E0,00000006,?,00000006,00000008,0000000A), ref: 0040390C
GlobalFree.KERNEL32(00863AC8), ref: 00403913

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403904

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-787714339
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 827a6d7c30b52d61f5a2dbff04e35f254d4b7381da6d9dc608e34789494937b8
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 58E0CD334010205BC6115F04FE0475A77685F45B22F16003BFC807717147B41C538BC8

Uniqueness

Uniqueness Score: -1.00%

Function 00405BB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\01-05-24 remittance.exe,C:\Users\user\Desktop\01-05-24 remittance.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBE
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\01-05-24 remittance.exe,C:\Users\user\Desktop\01-05-24 remittance.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BCE

Strings

C:\Users\user\Desktop, xrefs: 00405BB8

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3443045126
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: d1e11866c06308db2688671cfe2e39cf8e5f3b64411c1caee3e249c785e2e979
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: BDD05EB34109209AC3126B08DC00D9F77BCEF11301746486AF440A6161D7786C8186AD

Uniqueness

Uniqueness Score: -1.00%

Function 734B10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 734B116A
GlobalFree.KERNEL32(00000000), ref: 734B11C7
GlobalFree.KERNEL32(00000000), ref: 734B11D9
GlobalFree.KERNEL32(?), ref: 734B1203

Memory Dump Source

Source File: 00000006.00000002.533763640156.00000000734B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 734B0000, based on PE: true

Associated: 00000006.00000002.533763573689.00000000734B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763687726.00000000734B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.533763739600.00000000734B6000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_734b0000_01-05-24 remittance.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b6401c67d53746b49cf84ff5efb9dc267d404e6b37252de03378c1fed660bcfb
Instruction ID: a955633ac075916cc52ade203ecc9dc8caa838c058389afc7a945b64b78fa419
Opcode Fuzzy Hash: b6401c67d53746b49cf84ff5efb9dc267d404e6b37252de03378c1fed660bcfb
Instruction Fuzzy Hash: DE3181B2500201DFE70DAF69C945B26B7FAEB49210B24055AE84AFB354F73CDD018778

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D2B
lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34

Memory Dump Source

Source File: 00000006.00000002.533742895299.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.533742818824.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533742988640.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743061319.00000000007CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.533743938295.00000000007CD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_01-05-24 remittance.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 01-05-24 remittance.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\nsiAADD.tmp\System.dll

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Nonassimilability184.Twi

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\Zilla.Ant

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\jammerklagerne.txt

C:\Users\user\AppData\Local\disktyper\twinly\olacaceae\usynligheden.obj

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\dirigentstokkens.lnk

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
01-05-24 remittance.exe

Function 0040336C Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403987 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 004062B9 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004052FF Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 734B1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON