Edit tour

Windows Analysis Report
documentos.exe

Overview

General Information

Sample name:	documentos.exe
Analysis ID:	1447922
MD5:	257e48b2852805583552ce20132e3c0d
SHA1:	fad6747e82e6fdd330cf3da35c7d178b30d7a21a
SHA256:	822e8ac1653b10c7062998adf7db838bd515dc3cd43047a4d12bc9d2c2080696
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

documentos.exe (PID: 1444 cmdline: "C:\Users\user\Desktop\documentos.exe" MD5: 257E48B2852805583552CE20132E3C0D)

RegSvcs.exe (PID: 4068 cmdline: "C:\Users\user\Desktop\documentos.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.midhcodistribuciones.com", "Username": "v3doo@midhcodistribuciones.com", "Password": ",A7}+JV4KExQ"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2603244336.0000000002E35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ca5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33dcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30ca6:$s2: GetPrivateProfileString 0x3033c:$s3: get_OSFullName 0x3197d:$s5: remove_Key 0x31af3:$s5: remove_Key 0x32a22:$s6: FtpWebRequest 0x33a1d:$s7: logins 0x33f8f:$s7: logins 0x36d08:$s7: logins 0x36d52:$s7: logins 0x38651:$s7: logins 0x378ec:$s9: 1.85 (Hash, version 2, native byte-order)
Process Memory Space: documentos.exe PID: 1444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: documentos.exe PID: 1444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: documentos.exe PID: 1444	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4068	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ca5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33dcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30ca6:$s2: GetPrivateProfileString 0x3033c:$s3: get_OSFullName 0x3197d:$s5: remove_Key 0x31af3:$s5: remove_Key 0x32a22:$s6: FtpWebRequest 0x33a1d:$s7: logins 0x33f8f:$s7: logins 0x36d08:$s7: logins 0x36d52:$s7: logins 0x38651:$s7: logins 0x378ec:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.documentos.exe.3ba0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.documentos.exe.3ba0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.documentos.exe.3ba0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.documentos.exe.3ba0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33a3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33aad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33b37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33bc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33c33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33ca5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33d3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33dcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.documentos.exe.3ba0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30ca6:$s2: GetPrivateProfileString 0x3033c:$s3: get_OSFullName 0x3197d:$s5: remove_Key 0x31af3:$s5: remove_Key 0x32a22:$s6: FtpWebRequest 0x33a1d:$s7: logins 0x33f8f:$s7: logins 0x36d08:$s7: logins 0x36d52:$s7: logins 0x38651:$s7: logins 0x378ec:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.documentos.exe.3ba0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.documentos.exe.3ba0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.documentos.exe.3ba0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31c3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31cad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31d37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31dc9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31e33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31ea5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31f3b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31fcb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.documentos.exe.3ba0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2eea6:$s2: GetPrivateProfileString 0x2e53c:$s3: get_OSFullName 0x2fb7d:$s5: remove_Key 0x2fcf3:$s5: remove_Key 0x30c22:$s6: FtpWebRequest 0x31c1d:$s7: logins 0x3218f:$s7: logins 0x34f08:$s7: logins 0x34f52:$s7: logins 0x36851:$s7: logins 0x35aec:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: documentos.exe

Avira: detected

Found malware configuration

Source: 0.2.documentos.exe.3ba0000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.midhcodistribuciones.com", "Username": "v3doo@midhcodistribuciones.com", "Password": ",A7}+JV4KExQ"}

Multi AV Scanner detection for submitted file

Source: documentos.exe	ReversingLabs: Detection: 68%
Source: documentos.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: documentos.exe

Joe Sandbox ML: detected

Source: documentos.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: documentos.exe, 00000000.00000003.1354518336.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, documentos.exe, 00000000.00000003.1355080245.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: documentos.exe, 00000000.00000003.1354518336.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, documentos.exe, 00000000.00000003.1355080245.0000000004120000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BD4696
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BDC9C7
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDC93C FindFirstFileW,FindClose,	0_2_00BDC93C
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BDF200
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BDF35D
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BDF65E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BD3A2B
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BD3D4E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BDBF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BE25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00BE25E2

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2603244336.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: documentos.exe, 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2602976383.000000000122F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2603244336.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: documentos.exe, 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, FaJzHLniypp.cs

.Net Code: UZ6rXXVq3Ow

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BE425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BE425A

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BE4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BE4458

Source: C:\Users\user\Desktop\documentos.exe

0_2_00BE425A

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BD0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00BD0219

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BFCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BFCDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\documentos.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B73B4C
Source: documentos.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: documentos.exe, 00000000.00000000.1344586831.0000000000C25000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bc0e827c-c
Source: documentos.exe, 00000000.00000000.1344586831.0000000000C25000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a85745c9-2
Source: documentos.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_91793ca2-d
Source: documentos.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f593b72f-8

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: documentos.exe

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BD40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00BD40B1

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BC8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BC8858

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BD545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BD545F

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B7E800	0_2_00B7E800
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9DBB5	0_2_00B9DBB5
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B7E060	0_2_00B7E060
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BF804A	0_2_00BF804A
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B84140	0_2_00B84140
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B92405	0_2_00B92405
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BA6522	0_2_00BA6522
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BA267E	0_2_00BA267E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BF0665	0_2_00BF0665
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9283A	0_2_00B9283A
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B86843	0_2_00B86843
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BA89DF	0_2_00BA89DF
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BA6A94	0_2_00BA6A94
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BF0AE2	0_2_00BF0AE2
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B88A0E	0_2_00B88A0E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD8B13	0_2_00BD8B13
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BCEB07	0_2_00BCEB07
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9CD61	0_2_00B9CD61
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BA7006	0_2_00BA7006
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B83190	0_2_00B83190
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B8710E	0_2_00B8710E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B71287	0_2_00B71287
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B933C7	0_2_00B933C7
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9F419	0_2_00B9F419
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B85680	0_2_00B85680
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B916C4	0_2_00B916C4
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B978D3	0_2_00B978D3
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B858C0	0_2_00B858C0
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B91BB8	0_2_00B91BB8
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BA9D05	0_2_00BA9D05
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B7FE40	0_2_00B7FE40
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9BFE6	0_2_00B9BFE6
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B91FD0	0_2_00B91FD0
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_02573670	0_2_02573670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0116A5F0	2_2_0116A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01164A80	2_2_01164A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01163E68	2_2_01163E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011641B0	2_2_011641B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0116DC28	2_2_0116DC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_059825C8	2_2_059825C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05981418	2_2_05981418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05983678	2_2_05983678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05983D60	2_2_05983D60

Source: C:\Users\user\Desktop\documentos.exe	Code function: String function: 00B90D27 appears 70 times
Source: C:\Users\user\Desktop\documentos.exe	Code function: String function: 00B77F41 appears 35 times
Source: C:\Users\user\Desktop\documentos.exe	Code function: String function: 00B98B40 appears 42 times

Source: documentos.exe, 00000000.00000003.1356968784.00000000043ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs documentos.exe
Source: documentos.exe, 00000000.00000003.1354331912.0000000004243000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs documentos.exe
Source: documentos.exe, 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameed6d94e2-6208-4795-9a94-d4ceaf934adf.exe4 vs documentos.exe

Source: documentos.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, Tk7F6W0v.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, ivMw3WGb8.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, ivMw3WGb8.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, cdw.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.documentos.exe.3ba0000.1.raw.unpack, cdw.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BDA2D5 GetLastError,FormatMessageW,

0_2_00BDA2D5

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BC8713 AdjustTokenPrivileges,CloseHandle,		0_2_00BC8713
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BC8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BC8CC3

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BDB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BDB59E

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BEF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BEF121

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BE86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00BE86D0

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B74FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B74FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\documentos.exe

File created: C:\Users\user\AppData\Local\Temp\aut4FBD.tmp

Jump to behavior

Source: documentos.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\documentos.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2603244336.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002F00000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: documentos.exe	ReversingLabs: Detection: 68%
Source: documentos.exe	Virustotal: Detection: 70%

Source: unknown	Process created: C:\Users\user\Desktop\documentos.exe "C:\Users\user\Desktop\documentos.exe"
Source: C:\Users\user\Desktop\documentos.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\documentos.exe"
Source: C:\Users\user\Desktop\documentos.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\documentos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\documentos.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: documentos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: documentos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: documentos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: documentos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: documentos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: documentos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: documentos.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: documentos.exe, 00000000.00000003.1354518336.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, documentos.exe, 00000000.00000003.1355080245.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: documentos.exe, 00000000.00000003.1354518336.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, documentos.exe, 00000000.00000003.1355080245.0000000004120000.00000004.00001000.00020000.00000000.sdmp

Source: documentos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: documentos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: documentos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: documentos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: documentos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BEC304 LoadLibraryA,GetProcAddress,

0_2_00BEC304

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B98B85 push ecx; ret		0_2_00B98B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0598C1C0 push es; ret		2_2_0598C1D0

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B74A35
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BF55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BF55FD

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B933C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B933C7

Source: C:\Users\user\Desktop\documentos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\documentos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: documentos.exe PID: 1444, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: documentos.exe, 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002E35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\documentos.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99300

Source: C:\Users\user\Desktop\documentos.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BD4696
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BDC9C7
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDC93C FindFirstFileW,FindClose,	0_2_00BDC93C
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BDF200
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BDF35D
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BDF65E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BD3A2B
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BD3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BD3D4E
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BDBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BDBF27

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B74AFE

Source: RegSvcs.exe, 00000002.00000002.2603244336.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.2603898253.00000000061F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: RegSvcs.exe, 00000002.00000002.2603244336.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem

Source: C:\Users\user\Desktop\documentos.exe

API call chain: ExitProcess graph end node

graph_0-98268

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_01167060 CheckRemoteDebuggerPresent,

2_2_01167060

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BE41FD BlockInput,

0_2_00BE41FD

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B73B4C

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BA5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00BA5CCC

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BEC304 LoadLibraryA,GetProcAddress,

0_2_00BEC304

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_02573560 mov eax, dword ptr fs:[00000030h]	0_2_02573560
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_02573500 mov eax, dword ptr fs:[00000030h]	0_2_02573500
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_02571ED0 mov eax, dword ptr fs:[00000030h]	0_2_02571ED0

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BC81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00BC81F7

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B9A395
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00B9A364 SetUnhandledExceptionFilter,		0_2_00B9A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\documentos.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\documentos.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C3E008

Jump to behavior

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BC8C93 LogonUserW,

0_2_00BC8C93

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B73B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B73B4C

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B74A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B74A35

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BD4EF5 mouse_event,

0_2_00BD4EF5

Source: C:\Users\user\Desktop\documentos.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\documentos.exe"

Jump to behavior

Source: C:\Users\user\Desktop\documentos.exe

0_2_00BC81F7

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BD4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BD4C03

Source: documentos.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: documentos.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B9886B cpuid

0_2_00B9886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BA50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00BA50D7

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BB2230 GetUserNameW,

0_2_00BB2230

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00BA418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00BA418A

Source: C:\Users\user\Desktop\documentos.exe

Code function: 0_2_00B74AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B74AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documentos.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: documentos.exe	Binary or memory string: WIN_81
Source: documentos.exe	Binary or memory string: WIN_XP
Source: documentos.exe	Binary or memory string: WIN_XPe
Source: documentos.exe	Binary or memory string: WIN_VISTA
Source: documentos.exe	Binary or memory string: WIN_7
Source: documentos.exe	Binary or memory string: WIN_8
Source: documentos.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2603244336.0000000002E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documentos.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.documentos.exe.3ba0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: documentos.exe PID: 1444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BE6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00BE6596
Source: C:\Users\user\Desktop\documentos.exe	Code function: 0_2_00BE6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BE6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	551 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Virtualization/Sandbox Evasion	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
documentos.exe	68%	ReversingLabs	Win32.Spyware.Negasteal
documentos.exe	70%	Virustotal		Browse
documentos.exe	100%	Avira	TR/AD.ShellcodeCrypter.cdudx
documentos.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	documentos.exe, 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2603244336.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2603244336.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2603244336.0000000002EC8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447922
Start date and time:	2024-05-27 12:30:28 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	documentos.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	PI-236031.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	99200032052824.bat.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	/json/
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	PI-236031.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	99200032052824.bat.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	PI-236031.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	INV 0983 OSY 240524_PDF.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	99200032052824.bat.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	PO_27052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Reiven RFQ-27-05-2024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ev1NIvTd6f.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDE	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	uChcvn3L6R.exe	Get hash	malicious	DCRat	Browse	208.95.112.1
	SecuriteInfo.com.FileRepMalware.1834.13764.exe	Get hash	malicious	Discord Token Stealer, XWorm	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\documentos.exe
File Type:	data
Category:	dropped
Size (bytes):	144078
Entropy (8bit):	7.741622614039229
Encrypted:	false
SSDEEP:	3072:1dkXYeWVUU5kYph7258DSodE7/zqjhrBk0XIvt3ao++YvL7Lq3MXHur:PkAWcba8Soy7Lqj7ksx+0LmMXHu
MD5:	C6BF2D15800DB251C01553BFDC04B6E9
SHA1:	DD160B5B244E933628A6613BE703F1B39BA0A69E
SHA-256:	E63B84C4B094413EC97FA0B481CF60308148214E7E060533ED447DB86B6AB71B
SHA-512:	286147D624BE70559FA218D6F583A20067B95F5D029221E0D3C0C183A7F65029750AB946F201E873054DF9D6F3A1A52F59A1068281ADD102C65DA1AC76CB7A73
Malicious:	false
Reputation:	low
Preview:	EA06......8s....5.R...:.R.Q.s....x..)..eJ..!........+..L.....#?$....N.s[..O-...2{,.[_.Od.i.R.0....9]..~...R.O......@.s....5..-R...mhT..N.S2...J...:.N.D@..5@.@.Mg....gL.U.$3<....1...(1N..:.5.cU...5Zu2B...(..u.Z..4. ...T.....k .P....@Q..;0.. ....O..i......h. ...F...=l..&W...6../...... P...U<......X..A"......H..)...~....C&4....b...4......z..kp..g`..6cL..x.......\|.7....M.tIt.#t.HzS-....L.p.......H.....m2z.]....../......o5..Z...]>.k..J....f?%..f\zG3.i.].e..T.{e8...e...(v..c...X......:.E#.^..G..g....yY.."..UB};..53......g=8^_.w>.Z......X..<...~.T....-....J.0....4.0/.....@............. .... G@.....v. ..oJ..ZI..........\..x.........9I.V]...q2/.......Yn.wr.Euz...C).w..u"...Ujt...E.M..z\.e..\.. ...C`.}m.L.....j#......9....ly.-h...s&....gR.Q......5..$...R.&..5I4.AC......".Je`8............I4.O.s...J......z<r.N.S......g.[.TZU.GN.Ch.9.@..R-..d.P.n.j...F.@).....l....P...g.S....{..).Y...M....=..T.A...U....U.Q......D...A..r.Q.3.P....Q,..ub.p.T..(

C:\Users\user\AppData\Local\Temp\aut502C.tmp

Download File

Process:	C:\Users\user\Desktop\documentos.exe
File Type:	data
Category:	dropped
Size (bytes):	9920
Entropy (8bit):	7.595256317557242
Encrypted:	false
SSDEEP:	192:eyaFcTokwRLMN/6EuuOF8+sXHJSZNr0SYLeSJkF8ArSpW+jmfmpzGpNo:AFxkwRwTSmUieykFd+c+qfmpim
MD5:	EF743923219241FDFC0B6663596D4E2D
SHA1:	CEA013D643BF6A5381386F6C634596604AD5813A
SHA-256:	2EE09C61F1EDFDDC79847AADBDBA33C8E51C7A9CA5AE465FBADA532F75DCBF39
SHA-512:	7F8CBA97051131A81419494355AF54309915D2DA680135172229C52C357EC17F847845FD01E8529F2BEF4B134C776587290CA16490C667BCBD77F0449E18A7FE
Malicious:	false
Reputation:	low
Preview:	EA06..t4.M(...aD..fT)..D.Mh.z,.gA....5.......B.Mh..%.mF.Mf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...\|.I..W.d...\|vI..W.d...\|vK..W.d...\|vK(.W.e...\|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn.

C:\Users\user\AppData\Local\Temp\outbluffed

Download File

Process:	C:\Users\user\Desktop\documentos.exe
File Type:	data
Category:	dropped
Size (bytes):	241664
Entropy (8bit):	6.560113800757645
Encrypted:	false
SSDEEP:	6144:bpgYsqwty/09CdJMOQ8VhxIJqyM1G65HoCtVn1/u9m:bBsqd7MOQ8VhxIJqyAT5HoCtB09m
MD5:	0752ED2666E68CCA6FB7B68FC0A4B8FC
SHA1:	739A689A5DF1770AC073A48D31AC50CBF1F2F858
SHA-256:	FB8C68A169FA078E1BB74E5A4732FA96E9125A43A07F9557F8FF367AEA3C9EE6
SHA-512:	BC9887F8E9E0C3769C82F7B3136811A5011542F96F36597DE042153A2ED2906CE24CE489A6E61D314ACC4F54A1652C5A9B777987745247AC67D97A9612D04B9C
Malicious:	false
Reputation:	low
Preview:	...1VBL5<JEN..LR.FS1UBL5xJENL1LRRFS1UBL58JENL1LRRFS1UBL58JEN.1LR\Y.?U.E...D....:;5sA'-+GY'e--_"=&f1Tu09[.#+n.~.r?)7T{OA?.JENL1LR..S1.CO5..j(L1LRRFS1.BN43KNNL.ORRNS1UBL5v.FNL.LRR.P1UB.58jENL3LRVFS1UBL5<JENL1LRRfW1U@L58JENN1..RFC1URL58JUNL!LRRFS1EBL58JENL1LR..P1.BL58.FN.4LRRFS1UBL58JENL1LRRFW1YBL58JENL1LRRFS1UBL58JENL1LRRFS1UBL58JENL1LRRFS1UBL58jEND1LRRFS1UBL50jEN.1LRRFS1UBL5.> 681LR..P1UbL58.FNL3LRRFS1UBL58JENl1L2\|4 C6BL5~OENL.ORR@S1U.O58JENL1LRRFS1.BLu.8 "#RLR^FS1UBH58HENL.ORRFS1UBL58JEN.1L.RFS1UBL58JENL1LRb.P1UBL5pJENN1IR..Q15pM5;JENM1LTRFS1UBL58JENL1LRRFS1UBL58JENL1LRRFS1UBL58JENL1LRO......p7{D.6.t.!.2.._..3..CpY.)R....A.....kDJ..F.>e...1...D.ZW?R....N?BY.%}I2.H..i.wd:.z.T<.)...2..$Cj.....`p...:L....E..1)>.42<Y]d./P>;.D.0UBL5......;>.kxAC+.X=...fT+g...FJEN(1LR FS14BL5.JEN#1LR<FS1+BL5FJEN.1LR.FS1bBL5.JEN!1LRvFS1+BL5.7JA..;!.1UBL5...~.\..........I.;......".z..If.E-.;r....]..)../..Ho..US@W4WEH64wK...sPBW4WEH64wK...s.`..l..I....K..RFS1UB.58.ENL..R.FS1.B.5..ENL..R.F.1...5

C:\Users\user\AppData\Local\Temp\totten

Download File

Process:	C:\Users\user\Desktop\documentos.exe
File Type:	ASCII text, with very long lines (29748), with no line terminators
Category:	dropped
Size (bytes):	29748
Entropy (8bit):	3.546152728717839
Encrypted:	false
SSDEEP:	768:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+I76Md4vfF3if6gyx:ViTZ+2QoioGRk6ZklputwjpjBkCiw2RY
MD5:	CF974E92863A4C5CB0F5D7BE8BF30B7A
SHA1:	858BADB212AE1B759FC3139605BA27188DD2BC83
SHA-256:	D5C222706F9673E2E1B78C1C6200E26936EDE3CD2ECEAA0315304D35C31A81A5
SHA-512:	504EA497FA37388A6F425A602B78E93E636D46D6F20C1883A35DB8559C9DF036358962180B0F30AA5966B142996355DE19EE393A52A8AD14EE1E7A2195944887
Malicious:	false
Reputation:	low
Preview:	84F98E0D192B10FD05E7E43AEF7957D5930866ABD5D0DA6FF50x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.9232336703936905
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	documentos.exe
File size:	1'029'632 bytes
MD5:	257e48b2852805583552ce20132e3c0d
SHA1:	fad6747e82e6fdd330cf3da35c7d178b30d7a21a
SHA256:	822e8ac1653b10c7062998adf7db838bd515dc3cd43047a4d12bc9d2c2080696
SHA512:	b20c6a0c51390f80ad49799967a83ce096e124d6cc4652222a530a36aa7573ad2df078707bf9517969e90896d38dd71710feaf26dd5e35fdcea87efa2c101a32
SSDEEP:	24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaxGxllnKr8si75:Jh+ZkldoPK8YaxGx7E89
TLSH:	F2259D0273D1C036FFAB92739B6AF24556BC79254123852F13982DB9BD701B2263E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664CBB0B [Tue May 21 15:17:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FDEA905B48Dh
jmp 00007FDEA904E244h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FDEA904E3CAh
cmp edi, eax
jc 00007FDEA904E72Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FDEA904E3C9h
rep movsb
jmp 00007FDEA904E6DCh
cmp ecx, 00000080h
jc 00007FDEA904E594h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FDEA904E3D0h
bt dword ptr [004BF324h], 01h
jc 00007FDEA904E8A0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FDEA904E56Dh
test edi, 00000003h
jne 00007FDEA904E57Eh
test esi, 00000003h
jne 00007FDEA904E55Dh
bt edi, 02h
jnc 00007FDEA904E3CFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FDEA904E3D3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FDEA904E425h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x30fc4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf9000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x30fc4	0x31000	1a049610a9db0e94734488c1ae1b5c5e	False	0.866455078125	data	7.734659260972017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf9000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x2828a	data			1.0003708432123533
RT_GROUP_ICON	0xf8a44	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xf8abc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xf8ad0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xf8ae4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xf8af8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xf8bd4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:31:18.892251968 CEST	49705	80	192.168.2.8	208.95.112.1
May 27, 2024 12:31:18.897175074 CEST	80	49705	208.95.112.1	192.168.2.8
May 27, 2024 12:31:18.897239923 CEST	49705	80	192.168.2.8	208.95.112.1
May 27, 2024 12:31:18.898046970 CEST	49705	80	192.168.2.8	208.95.112.1
May 27, 2024 12:31:18.902877092 CEST	80	49705	208.95.112.1	192.168.2.8
May 27, 2024 12:31:19.374452114 CEST	80	49705	208.95.112.1	192.168.2.8
May 27, 2024 12:31:19.421833992 CEST	49705	80	192.168.2.8	208.95.112.1
May 27, 2024 12:32:26.157812119 CEST	80	49705	208.95.112.1	192.168.2.8
May 27, 2024 12:32:26.158060074 CEST	49705	80	192.168.2.8	208.95.112.1
May 27, 2024 12:32:59.391531944 CEST	49705	80	192.168.2.8	208.95.112.1
May 27, 2024 12:32:59.396536112 CEST	80	49705	208.95.112.1	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2024 12:31:18.880284071 CEST	56397	53	192.168.2.8	1.1.1.1
May 27, 2024 12:31:18.887387037 CEST	53	56397	1.1.1.1	192.168.2.8
May 27, 2024 12:32:02.211647034 CEST	53	49821	162.159.36.2	192.168.2.8
May 27, 2024 12:32:02.698704958 CEST	53	62325	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 27, 2024 12:31:18.880284071 CEST	192.168.2.8	1.1.1.1	0x2473	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 27, 2024 12:31:18.887387037 CEST	1.1.1.1	192.168.2.8	0x2473	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	208.95.112.1	80	4068	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 27, 2024 12:31:18.898046970 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 27, 2024 12:31:19.374452114 CEST	175	IN	HTTP/1.1 200 OK Date: Mon, 27 May 2024 10:31:19 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 28 X-Rl: 42 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	06:31:16
Start date:	27/05/2024
Path:	C:\Users\user\Desktop\documentos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\documentos.exe"
Imagebase:	0xb70000
File size:	1'029'632 bytes
MD5 hash:	257E48B2852805583552CE20132E3C0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1361495342.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:31:16
Start date:	27/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\documentos.exe"
Imagebase:	0xaf0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2602308052.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2603244336.0000000002E35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	152

Executed Functions

Function 00B73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B73B7A
IsDebuggerPresent.KERNEL32 ref: 00B73B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C362F8,00C362E0,?,?), ref: 00B73BFD

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

Part of subcall function 00B80A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B73C26,00C362F8,?,?,?), ref: 00B80ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00B73C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C293F0,00000010), ref: 00BAD4BC
SetCurrentDirectoryW.KERNEL32(?,00C362F8,?,?,?), ref: 00BAD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C25D40,00C362F8,?,?,?), ref: 00BAD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00BAD581

Part of subcall function 00B73A58: GetSysColorBrush.USER32(0000000F), ref: 00B73A62
Part of subcall function 00B73A58: LoadCursorW.USER32(00000000,00007F00), ref: 00B73A71
Part of subcall function 00B73A58: LoadIconW.USER32(00000063), ref: 00B73A88
Part of subcall function 00B73A58: LoadIconW.USER32(000000A4), ref: 00B73A9A
Part of subcall function 00B73A58: LoadIconW.USER32(000000A2), ref: 00B73AAC
Part of subcall function 00B73A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B73AD2
Part of subcall function 00B73A58: RegisterClassExW.USER32(?), ref: 00B73B28

Part of subcall function 00B739E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B73A15
Part of subcall function 00B739E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B73A36
Part of subcall function 00B739E7: ShowWindow.USER32(00000000,?,?), ref: 00B73A4A
Part of subcall function 00B739E7: ShowWindow.USER32(00000000,?,?), ref: 00B73A53

Part of subcall function 00B743DB: _memset.LIBCMT ref: 00B74401
Part of subcall function 00B743DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B744A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00BAD4B4
runas, xrefs: 00BAD575

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: c8881381b61c19ece91ad5187553bd76dbb638699fd6fc63c8655370eedfc5f3
Instruction ID: 5fd5c6e8966b75be2882af455e437732d99c1baeedb7f40a6abf3529e88e277a
Opcode Fuzzy Hash: c8881381b61c19ece91ad5187553bd76dbb638699fd6fc63c8655370eedfc5f3
Instruction Fuzzy Hash: 5F51B270918249BACF12ABB49C45BFE7BF8EF05700F04C1E5F46AA72A1DE714A45DB21

Function 00B74AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B74B2B

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

GetCurrentProcess.KERNEL32(?,00BFFAEC,00000000,00000000,?), ref: 00B74BF8
IsWow64Process.KERNEL32(00000000), ref: 00B74BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B74C45
FreeLibrary.KERNEL32(00000000), ref: 00B74C50
GetSystemInfo.KERNEL32(00000000), ref: 00B74C81
GetSystemInfo.KERNEL32(00000000), ref: 00B74C8D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: c774cbfc346794d1cf8672d52210af611234c9ede355d95841fcaaf19d3cc276
Instruction ID: c8428c726e6ff263161c9bafc52dcdfbd3d060d712f5065c427a42b6cc15c457
Opcode Fuzzy Hash: c774cbfc346794d1cf8672d52210af611234c9ede355d95841fcaaf19d3cc276
Instruction Fuzzy Hash: 2991A13154A7C0DAC732CB7884916AABFE4EF6A301B4489DED0DF93B41D720E948C729

Function 00B74FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B74EEE,?,?,00000000,00000000), ref: 00B74FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B74EEE,?,?,00000000,00000000), ref: 00B75010
LoadResource.KERNEL32(?,00000000,?,?,00B74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B74F8F), ref: 00BADD60
SizeofResource.KERNEL32(?,00000000,?,?,00B74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B74F8F), ref: 00BADD75
LockResource.KERNEL32(00B74EEE,?,?,00B74EEE,?,?,00000000,00000000,?,?,?,?,?,?,00B74F8F,00000000), ref: 00BADD88

Strings

SCRIPT, xrefs: 00B75006

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8d3da45e92bbc66f188ff357f99fecde635e9569b24a23e6043aaec2e331e0b0
Instruction ID: b2284abf8ed0126ac35d884dba024418e4d599cc554554324547346c60d61628
Opcode Fuzzy Hash: 8d3da45e92bbc66f188ff357f99fecde635e9569b24a23e6043aaec2e331e0b0
Instruction Fuzzy Hash: 13115A75200705AFD7318B65DC58F777BB9EFC9B51F2081A8F41A872A0DBA1E800C6A0

Function 00BD4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00BAE7C1), ref: 00BD46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00BD46B7
FindClose.KERNEL32(00000000), ref: 00BD46C7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: ab0d82c9810bad21268a7c6e75a92cc4583a11ea133861cfce98d36ac4d7d264
Instruction ID: 8c232ee97a2ee470f710bdc087d4acef01dc36a390f51f931c3304b7589c1682
Opcode Fuzzy Hash: ab0d82c9810bad21268a7c6e75a92cc4583a11ea133861cfce98d36ac4d7d264
Instruction Fuzzy Hash: BDE0D8354104015B42106738EC4D4FAB79CDE06335F100796F936C32E0FBB09950D599

Function 00B7E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00BB428C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9e54d7e3bd82f08491438d6b37b50dd6bb1fc682530c9c1f2571f19e3a195b92
Instruction ID: e0a5b35f0c1e0008a833bdbc97ea73fa2d1fe6b7ae1b5a7c96f88aaf35b9971b
Opcode Fuzzy Hash: 9e54d7e3bd82f08491438d6b37b50dd6bb1fc682530c9c1f2571f19e3a195b92
Instruction Fuzzy Hash: E4A23975A04205CFCB24CF58C480AAAB7F1FF58310F6485E9E92AAB352D775ED42CB91

Function 00B80B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B80BBB
timeGetTime.WINMM ref: 00B80E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B80FB3
TranslateMessage.USER32(?), ref: 00B80FC7
DispatchMessageW.USER32(?), ref: 00B80FD5
Sleep.KERNEL32(0000000A), ref: 00B80FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00B8105A
DestroyWindow.USER32 ref: 00B81066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B81080
Sleep.KERNEL32(0000000A,?,?), ref: 00BB52AD
TranslateMessage.USER32(?), ref: 00BB608A
DispatchMessageW.USER32(?), ref: 00BB6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00BB60AC

Strings

@GUI_CTRLID, xrefs: 00BB5364
@GUI_WINHANDLE, xrefs: 00BB53B9
@GUI_CTRLHANDLE, xrefs: 00BB540E
@COM_EVENTOBJ, xrefs: 00BB591A
@TRAY_ID, xrefs: 00BB5BB9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 4edc4bd78c1ebf3fc52c9a68cda2dfdf682a1394eb858243013146e437a070db
Instruction ID: 96bee1ad091feaa527c1643a6a29cde6181c77c2ae5fbcf3ca23313d7028521c
Opcode Fuzzy Hash: 4edc4bd78c1ebf3fc52c9a68cda2dfdf682a1394eb858243013146e437a070db
Instruction Fuzzy Hash: CDB26E706087419FD734EF24C884BBAB7E5FF84304F1489ADE59A972A1DBB1E845CB42

Function 00BD93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD91E9: __time64.LIBCMT ref: 00BD91F3

Part of subcall function 00B75045: _fseek.LIBCMT ref: 00B7505D

__wsplitpath.LIBCMT ref: 00BD94BE

Part of subcall function 00B9432E: __wsplitpath_helper.LIBCMT ref: 00B9436E

_wcscpy.LIBCMT ref: 00BD94D1
_wcscat.LIBCMT ref: 00BD94E4
__wsplitpath.LIBCMT ref: 00BD9509
_wcscat.LIBCMT ref: 00BD951F
_wcscat.LIBCMT ref: 00BD9532

Part of subcall function 00BD922F: _memmove.LIBCMT ref: 00BD9268
Part of subcall function 00BD922F: _memmove.LIBCMT ref: 00BD9277

_wcscmp.LIBCMT ref: 00BD9479

Part of subcall function 00BD99BE: _wcscmp.LIBCMT ref: 00BD9AAE
Part of subcall function 00BD99BE: _wcscmp.LIBCMT ref: 00BD9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BD96DC
_wcsncpy.LIBCMT ref: 00BD974F
DeleteFileW.KERNEL32(?,?), ref: 00BD9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BD979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BD97BE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0a3339d68f87225d4fa98f44cfc89991169788c5af2d0da60e53d61778ba0a43
Instruction ID: 43339b59aedd188a888e6a1604ce1e876e47c282f4706299deaa99403ef71d06
Opcode Fuzzy Hash: 0a3339d68f87225d4fa98f44cfc89991169788c5af2d0da60e53d61778ba0a43
Instruction Fuzzy Hash: B9C109B1D00219AADF21DF95CC85AEEBBBDEF55310F0040EAF609E7251EB709A448F65

Function 00B73015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B73074
RegisterClassExW.USER32(00000030), ref: 00B7309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B730AF
InitCommonControlsEx.COMCTL32(?), ref: 00B730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B730DC
LoadIconW.USER32(000000A9), ref: 00B730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B73101

Strings

TaskbarCreated, xrefs: 00B730A4
0, xrefs: 00B73056
+, xrefs: 00B7305D
AutoIt v3 GUI, xrefs: 00B73090

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5e7e5f552bdb1f82e30123fd9a5f62d274c9dd3d927d35a7e4e28ba8563cd329
Instruction ID: d72686edccd8f012a5eef1005b8274f5ac2cc3dbe92df7ef6aed959b16481d95
Opcode Fuzzy Hash: 5e7e5f552bdb1f82e30123fd9a5f62d274c9dd3d927d35a7e4e28ba8563cd329
Instruction Fuzzy Hash: 883125B191030AAFDB009FA4E888BEDBBF0FF08310F10852AE590E72A0D7B95585CF51

Function 00B73041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B73074
RegisterClassExW.USER32(00000030), ref: 00B7309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B730AF
InitCommonControlsEx.COMCTL32(?), ref: 00B730CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B730DC
LoadIconW.USER32(000000A9), ref: 00B730F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B73101

Strings

TaskbarCreated, xrefs: 00B730A4
0, xrefs: 00B73056
+, xrefs: 00B7305D
AutoIt v3 GUI, xrefs: 00B73090

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 7c5982e57d301c371c96883a37d27651ef992bd49fe88c91015db2ca3860b033
Instruction ID: fa604105aece6aa91da2df31893ace9f38038ed658cdcb218ac41541e9a6df12
Opcode Fuzzy Hash: 7c5982e57d301c371c96883a37d27651ef992bd49fe88c91015db2ca3860b033
Instruction Fuzzy Hash: AA21B7B1910219BFDB00DFA4E889BEDBBF4FB08700F00852AF610A72A0DBB14544CF95

Function 00B771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B74864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C362F8,?,00B737C0,?), ref: 00B74882

Part of subcall function 00B9074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B772C5), ref: 00B90771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B77308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BAECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BAED32
RegCloseKey.ADVAPI32(?), ref: 00BAED70
_wcscat.LIBCMT ref: 00BAEDC9

Strings

Include, xrefs: 00BAECE8, 00BAED29
Software\AutoIt v3\AutoIt, xrefs: 00B772FE
\Include\, xrefs: 00B772C5
\, xrefs: 00BAEDEC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 7e8a7afbfea8d811fba8ede135cdefd8240597ae7092702fd2410cda538e0e3e
Instruction ID: e21be5d5ee0ef26ab6439d6676f889cb13d536631f2af22982bf68fe9535c8a9
Opcode Fuzzy Hash: 7e8a7afbfea8d811fba8ede135cdefd8240597ae7092702fd2410cda538e0e3e
Instruction Fuzzy Hash: F5715CB14183059EC724EF25DC81AAFB7E8FF55740F404A6EF459C72A0EB719948CB61

Function 00B73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B73A62
LoadCursorW.USER32(00000000,00007F00), ref: 00B73A71
LoadIconW.USER32(00000063), ref: 00B73A88
LoadIconW.USER32(000000A4), ref: 00B73A9A
LoadIconW.USER32(000000A2), ref: 00B73AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B73AD2
RegisterClassExW.USER32(?), ref: 00B73B28

Part of subcall function 00B73041: GetSysColorBrush.USER32(0000000F), ref: 00B73074
Part of subcall function 00B73041: RegisterClassExW.USER32(00000030), ref: 00B7309E
Part of subcall function 00B73041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B730AF
Part of subcall function 00B73041: InitCommonControlsEx.COMCTL32(?), ref: 00B730CC
Part of subcall function 00B73041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B730DC
Part of subcall function 00B73041: LoadIconW.USER32(000000A9), ref: 00B730F2
Part of subcall function 00B73041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B73101

Strings

AutoIt v3, xrefs: 00B73B17
0, xrefs: 00B73B06
#, xrefs: 00B73B0D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 11e124d68794fe37d4541f7d7e37c0983673cd0b6ed5e582ebed7229d3df953c
Instruction ID: 8e14fda5dc48d35b040d2cfe4bf17e81ce39627d22f716e102462d60fe6ede76
Opcode Fuzzy Hash: 11e124d68794fe37d4541f7d7e37c0983673cd0b6ed5e582ebed7229d3df953c
Instruction Fuzzy Hash: 61216D71D20308BFDB10AFA4EC49BAEBBF4FB08714F00816AE504A72A1C7B65954DF54

Function 00B73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00B736D2
KillTimer.USER32(?,00000001), ref: 00B736FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B7371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B7372A
CreatePopupMenu.USER32 ref: 00B7373E
PostQuitMessage.USER32(00000000), ref: 00B7375F

Strings

TaskbarCreated, xrefs: 00B73725

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4d54c66dc408fbc874ebeaeeef3b227d69374733fb577a3bf3a48642473bc422
Instruction ID: 1a735f8764361edbafe1a8038d1662c7a2609e1ed968b2c1f3a669b4862d39f4
Opcode Fuzzy Hash: 4d54c66dc408fbc874ebeaeeef3b227d69374733fb577a3bf3a48642473bc422
Instruction Fuzzy Hash: 8C4103F1218105BBDF146F28DC89B7E37D4EB44B00F1485A9F92A972E1CB61EE40E762

Function 00B73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00B738CE
CMDLINERAW, xrefs: 00B7380D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B737C0
/ErrorStdOut, xrefs: 00B7388F
/AutoIt3ExecuteLine, xrefs: 00B738B9
CMDLINE, xrefs: 00B73834
/AutoIt3OutputDebug, xrefs: 00B738A4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 62d5e956d283d89cccc777c5db94b5de64b2eb80a752032f5e388b1d1e3a6152
Instruction ID: be6c7415076e1380aebb40f9e338580e05a7a2da950082847f933ec742bd44f4
Opcode Fuzzy Hash: 62d5e956d283d89cccc777c5db94b5de64b2eb80a752032f5e388b1d1e3a6152
Instruction Fuzzy Hash: CBA1607181421DAADF04EBA0CC95EEEB7F8FF14700F0084A9E42AB7191DF755A09CB61

Function 02572650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 02572721
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 02572947

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction ID: 26b69ae8f3405c0ad12fc831df05a81c1eeb1d8bbc3c402ce5b2d4668ee869ac
Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction Fuzzy Hash: 06A13774E40209EBDB14CFA4D994BEEBBB5FF48314F208559E901BB280D7759A81CF58

Function 00B739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B73A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B73A36
ShowWindow.USER32(00000000,?,?), ref: 00B73A4A
ShowWindow.USER32(00000000,?,?), ref: 00B73A53

Strings

AutoIt v3, xrefs: 00B73A0D, 00B73A12, 00B73A13
edit, xrefs: 00B73A30

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f438dfabff5f877fffb7a8f67fd9d44bb80138570a3f72a43c1c4cac3b8db21c
Instruction ID: 6608aeb60dfe50029e24c32a9ed8a9f83ed95ed1a859443a6116d21d8a0a3ce5
Opcode Fuzzy Hash: f438dfabff5f877fffb7a8f67fd9d44bb80138570a3f72a43c1c4cac3b8db21c
Instruction Fuzzy Hash: 11F030716102947EEA301717AC08F3B6E7DDBC7F50B028029B900A3170C9B61810CA70

Function 02572410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02572300: Sleep.KERNELBASE(000001F4), ref: 02572311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0257253A

Strings

RFS1UBL58JENL1LR, xrefs: 0257259D, 025725A0

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID: CreateFileSleep
String ID: RFS1UBL58JENL1LR
API String ID: 2694422964-601717579
Opcode ID: 96434494dea8c87d6c73474f70bac834afcf9837b41f9894bf3fa8e63dd5f3a0
Instruction ID: 611f9bb95658fb9aa94c42a8895ee60a043552800ec7bb06a7723fa7046b373f
Opcode Fuzzy Hash: 96434494dea8c87d6c73474f70bac834afcf9837b41f9894bf3fa8e63dd5f3a0
Instruction Fuzzy Hash: 6F519070D44249EBEF11DBA4D864BEEBB79AF48300F004599E649BB2C0D7B90B44CB69

Function 00B7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BAD5EC

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

_memset.LIBCMT ref: 00B7418D
_wcscpy.LIBCMT ref: 00B741E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B741F1

Strings

Line: , xrefs: 00BAD615

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 80ee57f48e4d62384033be907c4a4f06069cd0c54413a5f87ba3b099bb9e17d9
Instruction ID: e2ad80755646cec138444bc5d50ac8b2a2381ce3ada215e10dfff74c86130791
Opcode Fuzzy Hash: 80ee57f48e4d62384033be907c4a4f06069cd0c54413a5f87ba3b099bb9e17d9
Instruction Fuzzy Hash: 1C31C471448314AAD721EB60DC45FEF77ECAF44300F10C5AAF5A9A21A1DF749648C792

Function 00B9564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00B956AB
_memcpy_s.LIBCMT ref: 00B9571D
__read_nolock.LIBCMT ref: 00B9577B
__filbuf.LIBCMT ref: 00B9579E
_memset.LIBCMT ref: 00B957E2

Part of subcall function 00B98D68: __getptd_noexit.LIBCMT ref: 00B98D68

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b2ffdd76f2348556c38215a7331c07182ffb2aa7712f9c1f23a20553efac85db
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 2151BC30A40B05DBDF368FB9C8806AEB7E5EF41320F2486B9E825962D0D7749E518B50

Function 00B769CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00B74F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B74F6F

_free.LIBCMT ref: 00BAE68C
_free.LIBCMT ref: 00BAE6D3

Part of subcall function 00B76BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B76D0D

Strings

Bad directive syntax error, xrefs: 00BAE6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00BAE462

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ffcc756b367acdfe8994d1139ecd7e35b5600f54fccbd839eed7da234e6aeca6
Instruction ID: d68730e3eacfc46545fcd3e8454fd961882baf7e4e9d002593c0e45ea63287ee
Opcode Fuzzy Hash: ffcc756b367acdfe8994d1139ecd7e35b5600f54fccbd839eed7da234e6aeca6
Instruction Fuzzy Hash: B7915E71914219AFCF14EFA8C8919EDB7F4FF19314F1484AAF825AB291EB30D905CB60

Function 00B735B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B735A1,SwapMouseButtons,00000004,?), ref: 00B735D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B735A1,SwapMouseButtons,00000004,?,?,?,?,00B72754), ref: 00B735F5
RegCloseKey.KERNELBASE(00000000,?,?,00B735A1,SwapMouseButtons,00000004,?,?,?,?,00B72754), ref: 00B73617

Strings

Control Panel\Mouse, xrefs: 00B735D2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 54b81b30fc33e1521434e9feaa883954d9f8f364a8e8c69c9478200ce70359c0
Instruction ID: 9f57e591dd42993c5041404f923dd01fc0abc43673a525f4fea6443828a61554
Opcode Fuzzy Hash: 54b81b30fc33e1521434e9feaa883954d9f8f364a8e8c69c9478200ce70359c0
Instruction Fuzzy Hash: 39114871515218BFDB208F64DC80DBEB7F8EF04B40F1084A9E809D7210E671DF40A760

Function 02571300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02571B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02571B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02571B73

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 788e734f1e9044fc5fe8857797b89d2112c7983b93434a4a9825791a7a55f5a1
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 23621830A54618DBEB24CFA4D840BDEB776FF58300F1091A9D50DEB290E77A9E81CB59

Function 00B9493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B949D0
__flush.LIBCMT ref: 00B949F0
__write.LIBCMT ref: 00B94A23
__flsbuf.LIBCMT ref: 00B94A51

Part of subcall function 00B98D68: __getptd_noexit.LIBCMT ref: 00B98D68

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 08bd19a599a8bf14fab837849a78691305aca8a2f71122dff40815853fe70adb
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: AC41D370A006069FDF28CFA9C880DAF7BE6EF85360B2485FDE855C7650E7709D428B44

Function 00B773E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BAEE62
GetOpenFileNameW.COMDLG32(?), ref: 00BAEEAC

Part of subcall function 00B748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B748A1,?,?,00B737C0,?), ref: 00B748CE

Part of subcall function 00B909D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B909F4

Strings

X, xrefs: 00BAEE7A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: da34392e2d815dbbc7a44288899587aa27dc0b529108707557e007da1d187bc9
Instruction ID: 46735300e74aaef92d0c4fbe764934a0cfd5fcd212748acbb1f493e209654d1d
Opcode Fuzzy Hash: da34392e2d815dbbc7a44288899587aa27dc0b529108707557e007da1d187bc9
Instruction Fuzzy Hash: 3321C370A142589BCF51DF98C845BEE7BF89F49300F00809AE418EB281DFB459898BA1

Function 00BD901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD9036
__fread_nolock.LIBCMT ref: 00BD904B

Strings

EA06, xrefs: 00BD907D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 76367b5ab9e7919c5d33386f1f272ca9b91bd4c909f8a2d45a365bd8bacc5a95
Instruction ID: 165b6456a0bc13ac984ccc844139abc8f1e6b809e5d15e319bb1278c33d641d8
Opcode Fuzzy Hash: 76367b5ab9e7919c5d33386f1f272ca9b91bd4c909f8a2d45a365bd8bacc5a95
Instruction Fuzzy Hash: 6501F9718042186EDF29C7A8D856EEEBBFCDB01301F0085EBF552D2181E575E6048760

Function 00BD9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00BD9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00BD9B99

Strings

aut, xrefs: 00BD9B93

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: de2527d57048be4aa6c835a8455e876ac34bd70a5f6163ed3e1d17adbd3e8b86
Instruction ID: 83c4525d2493acf150ffb16b5b545a13aee04a6476e027e28b20979a7f6db15a
Opcode Fuzzy Hash: de2527d57048be4aa6c835a8455e876ac34bd70a5f6163ed3e1d17adbd3e8b86
Instruction Fuzzy Hash: 4AD05E7994030EABDB10AB94EC0EFBA772CEB04700F0042B1BE54D31A2DEB09598CB91

Function 00BECDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42332673b5ed879b03d2343cbd503d9ab107d1d8ffcf2d331b5d5c9c8c5c5831
Instruction ID: a19cef631e39721bf4cbc25a7cdbc414424dc7018d0ad43b1b082fd0f41ef08b
Opcode Fuzzy Hash: 42332673b5ed879b03d2343cbd503d9ab107d1d8ffcf2d331b5d5c9c8c5c5831
Instruction Fuzzy Hash: BDF15B706083419FC714DF29C484A6ABBE5FF88314F1489AEF8A99B352D771E945CF82

Function 00B7F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B903A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B903D3
Part of subcall function 00B903A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B903DB
Part of subcall function 00B903A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B903E6
Part of subcall function 00B903A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B903F1
Part of subcall function 00B903A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B903F9
Part of subcall function 00B903A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B90401

Part of subcall function 00B86259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B7FA90), ref: 00B862B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B7FB2D
OleInitialize.OLE32(00000000), ref: 00B7FBAA
CloseHandle.KERNEL32(00000000), ref: 00BB49F2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a784190442656864d7b38b4668a8f02e233e2973231c8ef373d332eef7197dac
Instruction ID: 3671cc842e119a1767183db28d305d5ba37c3e553eace8857b92673e3ef22a8a
Opcode Fuzzy Hash: a784190442656864d7b38b4668a8f02e233e2973231c8ef373d332eef7197dac
Instruction Fuzzy Hash: B781A9B0D25240AECB84EF3AE945769BBE4FB9A308710C57AE559C7372EB318404CF64

Function 00B743DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B74401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B744A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B744C3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: eb9583fba27f9f0aeb862519d9b31fb4d672fcffda0795689144b8da3c932334
Instruction ID: f302f0a8853ba95291a1d3d9eac8183bf0c061d42f37e479d12290cf1d63651c
Opcode Fuzzy Hash: eb9583fba27f9f0aeb862519d9b31fb4d672fcffda0795689144b8da3c932334
Instruction Fuzzy Hash: 1A318FB05043019FD720DF24D8847ABBBF8FB49309F00496EE5AE83351EB71A944CB92

Function 00B9594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00B95963

Part of subcall function 00B9A3AB: __NMSG_WRITE.LIBCMT ref: 00B9A3D2
Part of subcall function 00B9A3AB: __NMSG_WRITE.LIBCMT ref: 00B9A3DC

__NMSG_WRITE.LIBCMT ref: 00B9596A

Part of subcall function 00B9A408: GetModuleFileNameW.KERNEL32(00000000,00C343BA,00000104,?,00000001,00000000), ref: 00B9A49A
Part of subcall function 00B9A408: ___crtMessageBoxW.LIBCMT ref: 00B9A548

Part of subcall function 00B932DF: ___crtCorExitProcess.LIBCMT ref: 00B932E5
Part of subcall function 00B932DF: ExitProcess.KERNEL32 ref: 00B932EE

Part of subcall function 00B98D68: __getptd_noexit.LIBCMT ref: 00B98D68

RtlAllocateHeap.NTDLL(01680000,00000000,00000001,00000000,?,?,?,00B91013,?), ref: 00B9598F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 38994337c0d38ef4cbaae2a6647b69d8b5880d9da9dba267237647d2761b7cc2
Instruction ID: 64e234f8e1dace81335322ef6d55e868e79ac738207ae430b5e28d72e4a9b1e7
Opcode Fuzzy Hash: 38994337c0d38ef4cbaae2a6647b69d8b5880d9da9dba267237647d2761b7cc2
Instruction Fuzzy Hash: A6019231281B15EEFE362B74D842B6E72C8DF52B75F1100BAF505AB281DE719D018765

Function 00BD9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00BD97D2,?,?,?,?,?,00000004), ref: 00BD9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00BD97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00BD9B5B
CloseHandle.KERNEL32(00000000,?,00BD97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BD9B62

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 50c42cae40b7a79d77a78d898b7d6b6a75c527bb66d76a8433db70d2ae6ca08b
Instruction ID: 84257dab28cde7783fd4457671da7623027e61d1e471279335ef2152402e25a3
Opcode Fuzzy Hash: 50c42cae40b7a79d77a78d898b7d6b6a75c527bb66d76a8433db70d2ae6ca08b
Instruction Fuzzy Hash: BAE08632180215B7D7211B54EC09FEE7B58EF05761F144121FB147B0E08BB12A21D798

Function 00BD8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BD8FA5

Part of subcall function 00B92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B99C64), ref: 00B92FA9
Part of subcall function 00B92F95: GetLastError.KERNEL32(00000000,?,00B99C64), ref: 00B92FBB

_free.LIBCMT ref: 00BD8FB6
_free.LIBCMT ref: 00BD8FC8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: f4bf7a8bdb9099e210c831cebdae4fd48d21bcebf0e9f62b6fef82e6d7bf5d2e
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: D2E012A5A097016ACE24A778AD51B93A7EE9F48351B180CAEB409DB243EE24F8418128

Function 00B7AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00BB002B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 9161a6552672c931da1ce0d32716f4cf7964c8573b425f52002c6ed66f834e68
Instruction ID: 5ef280ec35681a73a8ccdad069dc6c911e08c9f79c5e8d2d15c66ba6081c144a
Opcode Fuzzy Hash: 9161a6552672c931da1ce0d32716f4cf7964c8573b425f52002c6ed66f834e68
Instruction Fuzzy Hash: 7D222770508241DFCB24DF14C494B6ABBE1FF85300F1589ADE8AA9B362D771ED85DB82

Function 00B74DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B74E1A

Strings

EA06, xrefs: 00BADCF5

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 38455c161a85dca6f9bace681055a1854b1b0bb9774f6fe47921ab796d2ecc6a
Instruction ID: a7665af3b2e07c5e96292bb56fc073bc3a1eddf91c2f01d4a695c716d51cafe7
Opcode Fuzzy Hash: 38455c161a85dca6f9bace681055a1854b1b0bb9774f6fe47921ab796d2ecc6a
Instruction Fuzzy Hash: 82419D31A045549BCF295B6488917BF7FE5EB06311F68C0F5F8AEAB282D7619D4083A1

Function 00B7492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B74992

Part of subcall function 00B935AC: __lock.LIBCMT ref: 00B935B2
Part of subcall function 00B935AC: DecodePointer.KERNEL32(00000001,?,00B749A7,00BC81BC), ref: 00B935BE
Part of subcall function 00B935AC: EncodePointer.KERNEL32(?,?,00B749A7,00BC81BC), ref: 00B935C9

Part of subcall function 00B74A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B74A73
Part of subcall function 00B74A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B74A88

Part of subcall function 00B73B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B73B7A
Part of subcall function 00B73B4C: IsDebuggerPresent.KERNEL32 ref: 00B73B8C
Part of subcall function 00B73B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C362F8,00C362E0,?,?), ref: 00B73BFD
Part of subcall function 00B73B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00B73C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B749D2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 8c291372a3b784acc8d59b18484dd3a3fcfa52493d9fe482d880528861786ad2
Instruction ID: 464a750fbc0a27e533d6f5116f8b4bf853e64089a60bd9b74e75f00e427cb561
Opcode Fuzzy Hash: 8c291372a3b784acc8d59b18484dd3a3fcfa52493d9fe482d880528861786ad2
Instruction Fuzzy Hash: 96116A71928311ABC700EF69D845A1EFBF8EB99710F01856EF459832B2DB719A44CB92

Function 00B75DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00B75981,?,?,?,?), ref: 00B75E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00B75981,?,?,?,?), ref: 00BAE19C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e7f8601da971d28c2e9e5356ef0a6c43f70fc735ccbc4c9bdd8a448b9d09b8d
Instruction ID: ed381ec051c71eef25465b4ee8e87ac3dc6f53ad30f263c8ea5b27c7062d5558
Opcode Fuzzy Hash: 2e7f8601da971d28c2e9e5356ef0a6c43f70fc735ccbc4c9bdd8a448b9d09b8d
Instruction Fuzzy Hash: 40014C70244609BEF7350E24CC8AF763ADCEB06768F10C369BAF96A1E0C6F45E558B50

Function 00B90FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B9594C: __FF_MSGBANNER.LIBCMT ref: 00B95963
Part of subcall function 00B9594C: __NMSG_WRITE.LIBCMT ref: 00B9596A
Part of subcall function 00B9594C: RtlAllocateHeap.NTDLL(01680000,00000000,00000001,00000000,?,?,?,00B91013,?), ref: 00B9598F

std::exception::exception.LIBCMT ref: 00B9102C
__CxxThrowException@8.LIBCMT ref: 00B91041

Part of subcall function 00B987DB: RaiseException.KERNEL32(?,?,?,00C2BAF8,00000000,?,?,?,?,00B91046,?,00C2BAF8,?,00000001), ref: 00B98830

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: ad9bf0a84601e2134e459d1b565f7f4038d03e32590efd3120611942f5f42aef
Instruction ID: 0c919100103219723f6ae9196d205ee75fc6151c7feb6f8acf1920f7f64323e0
Opcode Fuzzy Hash: ad9bf0a84601e2134e459d1b565f7f4038d03e32590efd3120611942f5f42aef
Instruction Fuzzy Hash: 16F0C87550031EA6CF21BA98EC059DF7BECDF01350F2044B5F80496591DFB29E80E2E0

Function 00B9582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9585C
__lock_file.LIBCMT ref: 00B9587D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: c77b87125cd8a0b754c7e8124994cbe8adc3be2fe468bb426a67fee72e024737
Instruction ID: 14eff98fb0f7e03d835595090fe62a5e60d13bb4c684c8fb7e397b9b27e162cf
Opcode Fuzzy Hash: c77b87125cd8a0b754c7e8124994cbe8adc3be2fe468bb426a67fee72e024737
Instruction Fuzzy Hash: 48018471840A08EBCF23AF699C4559E7BE5AF41360F1442B5B8145A1A1DB318A21DB91

Function 00B955D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B98D68: __getptd_noexit.LIBCMT ref: 00B98D68

__lock_file.LIBCMT ref: 00B9561B

Part of subcall function 00B96E4E: __lock.LIBCMT ref: 00B96E71

__fclose_nolock.LIBCMT ref: 00B95626

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 71644821823d11ac569d1a565a46f0e3856c478751b0076a16b4775eb9c2d418
Instruction ID: 514f4da954ee9adfc0660e7acfc25c6705cd0a6dc396569a1440203460386701
Opcode Fuzzy Hash: 71644821823d11ac569d1a565a46f0e3856c478751b0076a16b4775eb9c2d418
Instruction Fuzzy Hash: F0F02431840A009ADF32BF35980276E7BE06F02334F6582F9E414AB0C1CF7C8A018B51

Function 00B781C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00B7558F,?,?,?,?,?), ref: 00B781DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00B7558F,?,?,?,?,?), ref: 00B7820D

Part of subcall function 00B778AD: _memmove.LIBCMT ref: 00B778E9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 0d65d23a61d3e36965cf07da87bf059435e77d1c93c356ffb4f82e2feacc65db
Instruction ID: f401c8c90b3026ea2a50ddd17257f86f6e66bc1f8445bb1c7136bdca7b4fd2bb
Opcode Fuzzy Hash: 0d65d23a61d3e36965cf07da87bf059435e77d1c93c356ffb4f82e2feacc65db
Instruction Fuzzy Hash: 8D01AD31245604BFEB246A25DD8AF7B3BACEF89760F10816AFD09DE191DE319900D671

Function 025712FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 02571B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 02571B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02571B73

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: a50ff4384f0d1fb8bc250b0be92fe764b377797cbbdea732ae522ae438afeda0
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 1512CC24E24658C6EB24DF64D8507DEB232FF68300F1095E9910DEB7A4E77A4E81CF5A

Function 00B82123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b72fd16306fc9afeeaa9bf8d3ba0de989aff065a5b26136ea56bd7fb3d1da58
Instruction ID: 87b5456dccf3e78001b509e5629989046149d3babb419068b5e3494bb0cb4788
Opcode Fuzzy Hash: 2b72fd16306fc9afeeaa9bf8d3ba0de989aff065a5b26136ea56bd7fb3d1da58
Instruction Fuzzy Hash: 2A515B35600604AFCF14EB68C995EBE77E6EF85710F1480E8F95AAB392DA74ED00CB51

Function 00B75C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00B75CF6

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9fcf78a9477e381026b880fa6b1e9efc2fc34f2f1762e4062b9672ffee92ca49
Instruction ID: c45a4a2b58da58f67e4c3c6efa6192eb37cef3e87ce4f5a35a3d4792211ae7f4
Opcode Fuzzy Hash: 9fcf78a9477e381026b880fa6b1e9efc2fc34f2f1762e4062b9672ffee92ca49
Instruction Fuzzy Hash: E9311A71A00B19AFCB28DF69C484A6DB7F5FF48310F15C669E82993710D7B1AD60DB90

Function 00BB00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BB00E1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e8dda236ee311f04791f4cfde672744fd0962f0a0d1148bc6997506dd46ac481
Instruction ID: bab6ed28b499e94937e36b286722673b109738916d6205e4a3787ff6eb241694
Opcode Fuzzy Hash: e8dda236ee311f04791f4cfde672744fd0962f0a0d1148bc6997506dd46ac481
Instruction Fuzzy Hash: E0410674508341CFDB24DF18C484B2ABBE0FF85318F1989ACE9995B762D772E845CB52

Function 00B74F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B74D13: FreeLibrary.KERNEL32(00000000,?), ref: 00B74D4D

Part of subcall function 00B9548B: __wfsopen.LIBCMT ref: 00B95496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00C362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B74F6F

Part of subcall function 00B74CC8: FreeLibrary.KERNEL32(00000000), ref: 00B74D02

Part of subcall function 00B74DD0: _memmove.LIBCMT ref: 00B74E1A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 213b30e854f719ffa739700cf83ee5bbc33d5f63869bfe1bf10eacfd0b753864
Instruction ID: 7c7fdfc9e4eb4d9370bf2105408d857b1576a510c029d1b768712222ec2a52a3
Opcode Fuzzy Hash: 213b30e854f719ffa739700cf83ee5bbc33d5f63869bfe1bf10eacfd0b753864
Instruction Fuzzy Hash: 2B11E731704209ABCF25EF70CC42BAE77E4DF41712F10C4A9F5AAAB2C1DB719A059B90

Function 00BB01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BB01BB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 15dab11fe65008649a00061344d67af30a224d49541030a42d0035dfda75f31a
Instruction ID: c5aa6eab14ec8861223032e6dc134cad62bc10260fee0dc9c856ad1646626ea3
Opcode Fuzzy Hash: 15dab11fe65008649a00061344d67af30a224d49541030a42d0035dfda75f31a
Instruction Fuzzy Hash: 532113B4508341DFCB64DF24C484A2BBBE0FF88304F1489A8E9AA57761D732E849DB52

Function 00B75D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00B75807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B75D76

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6396d40663ea86e1d876df924ff75437102670200ef16047be0703167ad3faeb
Instruction ID: 997194ac4e08cce3f17680e878027ba6ede3e395ee661ac6471dbb7963fff528
Opcode Fuzzy Hash: 6396d40663ea86e1d876df924ff75437102670200ef16047be0703167ad3faeb
Instruction Fuzzy Hash: 21113331200B05AFD3308F55C888F62B7E9EF45760F10C96EE4AE8AA50DBB0F945CB60

Function 00B94A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00B94AD6

Part of subcall function 00B98D68: __getptd_noexit.LIBCMT ref: 00B98D68

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: db9bc4e206cc35bbc919839ab380a5d69834275d6b39060bf0a7c3a24fe2e788
Instruction ID: 42892dbc907eb131f846c29c0d90091a309e1b6ad2c6cca44591b10bbbb9a285
Opcode Fuzzy Hash: db9bc4e206cc35bbc919839ab380a5d69834275d6b39060bf0a7c3a24fe2e788
Instruction Fuzzy Hash: 04F0C231940209ABDF61AF74CC06BAF37E1AF01326F1885B4F424AA1E1CB788A52DF51

Function 00B74FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00C362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B74FDE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 93b065b1524244a5916e8fdda46efdd4252ce5d947c99a93f6c8069efadda2ee
Instruction ID: 3dc4ed53d51b494fc97b0117b7a8918415811ba3986f7a1ee2ccd89dd55bce93
Opcode Fuzzy Hash: 93b065b1524244a5916e8fdda46efdd4252ce5d947c99a93f6c8069efadda2ee
Instruction Fuzzy Hash: 9FF01571105712CFCB349F64E494922BBE1EF1432A321CABEE1EE8A610C771A840DF50

Function 00B909D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B909F4

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 8685ceff93bc9bf5b58acf9d0011875cb6176ed106a8ff0f225af44534973b50
Instruction ID: ff79dcc51c229bc4000506b3c5a5c9a5138f0fcb3c8e627c370edda5c13b60f3
Opcode Fuzzy Hash: 8685ceff93bc9bf5b58acf9d0011875cb6176ed106a8ff0f225af44534973b50
Instruction Fuzzy Hash: 65E0CD7694422857C720D69C9C05FFA77EDDF89790F0441F5FC0CD7204DD609D818690

Function 00BD9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00BD914B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 5155ae3f14d2e35c61ebfc092e7c24907d04a5d1faa6f1d83dcb5e9f9bfaa890
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 1DE092B0204B005FDB358A24D8507E3B7E0EB06315F00085DF29A93341EB6278418759

Function 00B75DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00BAE16B,?,?,00000000), ref: 00B75DBF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 23e9540b4ebb456cddce534edd4e2c1d9dc1f5813d17b551d7c7eabe1b3a9200
Instruction ID: 7932be663cf915a8333c16069d550d37e10a35774dd19d758ec0e5440820a8cd
Opcode Fuzzy Hash: 23e9540b4ebb456cddce534edd4e2c1d9dc1f5813d17b551d7c7eabe1b3a9200
Instruction Fuzzy Hash: 7BD09E74640208BFE610DB80DC46FA9777CDB05710F100194BD046729096B27E508695

Function 00B9548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00B95496

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 3bd5e81cffec51855a93ad8b5c54982de394fcb84833749c231fa70a2802c80f
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8EB0927688020C77DE522E82EC02A593B599B40678F808060FB0C18262A673A6A09689

Function 00BDD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00BDD46A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 2a40532db20cb3a99460435d8052f457d50c8681e7d0e164e85d4ed62c8da343
Instruction ID: fa042e179886a6152fee09bc0cb39286987cee58b635c2ed2766e7ee28b61020
Opcode Fuzzy Hash: 2a40532db20cb3a99460435d8052f457d50c8681e7d0e164e85d4ed62c8da343
Instruction Fuzzy Hash: AF7152306047028FC714EF24D4D1A6AB7E0EF88714F1449ADF59A9B3A2EB70ED49CB52

Function 00B90E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00B90EF7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 69c2e170ee7a6323ff436398c434cc410787eee2f3722dc1b3067fa43af4b4cb
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3931A271A10505DFCB18EF58D480A69F7E6FF59300B648AE5E909CB652D731EEC1CB90

Function 02572300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 02572311

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: bc2587b28a817e16f260d3ffbaec027f0420ef8dfedb0b19a4147505c9c01f12
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D5E0E67498010DDFDB00EFB4D54969E7FF4FF04301F100561FD05D2280D6309D508A62

Non-executed Functions

Function 00BFCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BFCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BFCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BFCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BFCF00
SendMessageW.USER32 ref: 00BFCF29
_wcsncpy.LIBCMT ref: 00BFCFA1
GetKeyState.USER32(00000011), ref: 00BFCFC2
GetKeyState.USER32(00000009), ref: 00BFCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BFCFE5
GetKeyState.USER32(00000010), ref: 00BFCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BFD018
SendMessageW.USER32 ref: 00BFD03F
SendMessageW.USER32(?,00001030,?,00BFB602), ref: 00BFD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BFD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BFD16E
SetCapture.USER32(?), ref: 00BFD177
ClientToScreen.USER32(?,?), ref: 00BFD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BFD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BFD203
ReleaseCapture.USER32 ref: 00BFD20E
GetCursorPos.USER32(?), ref: 00BFD248
ScreenToClient.USER32(?,?), ref: 00BFD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BFD2B1
SendMessageW.USER32 ref: 00BFD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BFD31C
SendMessageW.USER32 ref: 00BFD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BFD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BFD37B
GetCursorPos.USER32(?), ref: 00BFD39B
ScreenToClient.USER32(?,?), ref: 00BFD3A8
GetParent.USER32(?), ref: 00BFD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00BFD431
SendMessageW.USER32 ref: 00BFD462
ClientToScreen.USER32(?,?), ref: 00BFD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BFD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00BFD51A
SendMessageW.USER32 ref: 00BFD53D
ClientToScreen.USER32(?,?), ref: 00BFD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BFD5C3

Part of subcall function 00B725DB: GetWindowLongW.USER32(?,000000EB), ref: 00B725EC

GetWindowLongW.USER32(?,000000F0), ref: 00BFD65F

Strings

@GUI_DRAGID, xrefs: 00BFD1AA
F, xrefs: 00BFD543

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 5077d991e259ed30dfbf6021541c13ed2dd4f79e0495a1cc39c4f35fa0d0768c
Instruction ID: d644b6a0bf879953feae1b14ca7ddf52674e50a6d4ee0064052e56dc6c88e54c
Opcode Fuzzy Hash: 5077d991e259ed30dfbf6021541c13ed2dd4f79e0495a1cc39c4f35fa0d0768c
Instruction Fuzzy Hash: F642AE74204249EFCB25CF28C984FBABFE5FF49314F144599F655872A1CB31A898CB92

Function 00BF804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00BF873F

Strings

%d/%02d/%02d, xrefs: 00BF8478

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: aed2bc59d2b0ad64e5e441feb8930f195cf05eac15e40b0213bafbed81bf5421
Instruction ID: f7b07ed0e2b4db4f29d6fb5f6aff20db9b180aba5550ce94c8470a48f63ccb26
Opcode Fuzzy Hash: aed2bc59d2b0ad64e5e441feb8930f195cf05eac15e40b0213bafbed81bf5421
Instruction Fuzzy Hash: 19129271500209ABEB259F28CC89FBE7BF4EF45710F2441A9F615EB2A1DF709945CB10

Function 00B8710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B875C2
_memset.LIBCMT ref: 00B876B1
_memmove.LIBCMT ref: 00B87C4B
_memmove.LIBCMT ref: 00B87E4F

Strings

[:<:]], xrefs: 00B875F1
\b(?<=\w), xrefs: 00BC3C41
[:>:]], xrefs: 00B8760A
Q\E, xrefs: 00B881C1
DEFINE, xrefs: 00BC25AF
\b(?=\w), xrefs: 00BC3C34

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 0ee72723c6e64cf78d8b23da37eacfc617abfe08a2f05980260c187208f8e8a8
Instruction ID: 97ac7381449ef373a62bcb425305ef3a2ecfeba165c6bd7ecfd6e12f0688f3ab
Opcode Fuzzy Hash: 0ee72723c6e64cf78d8b23da37eacfc617abfe08a2f05980260c187208f8e8a8
Instruction Fuzzy Hash: E693A171A00219DBDB24DF58C891BADB7F1FF48714F6481AEE945EB290EB709E81CB50

Function 00B74A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00B74A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BADA8E
IsIconic.USER32(?), ref: 00BADA97
ShowWindow.USER32(?,00000009), ref: 00BADAA4
SetForegroundWindow.USER32(?), ref: 00BADAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BADAC4
GetCurrentThreadId.KERNEL32 ref: 00BADACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BADAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BADAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00BADAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00BADAF8
SetForegroundWindow.USER32(?), ref: 00BADAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BADB10
keybd_event.USER32(00000012,00000000), ref: 00BADB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BADB25
keybd_event.USER32(00000012,00000000), ref: 00BADB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BADB33
keybd_event.USER32(00000012,00000000), ref: 00BADB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BADB42
keybd_event.USER32(00000012,00000000), ref: 00BADB47
SetForegroundWindow.USER32(?), ref: 00BADB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00BADB71

Strings

Shell_TrayWnd, xrefs: 00BADA89

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9e4f627eb3993e26c519758d20bfab1383daaf035ca1f00f629e583b3ec76f1c
Instruction ID: 6351ea961c603b4e5e0fbbb3daed6a1c4f103b65ca7fa94647739eb9444478b3
Opcode Fuzzy Hash: 9e4f627eb3993e26c519758d20bfab1383daaf035ca1f00f629e583b3ec76f1c
Instruction Fuzzy Hash: FC317271A44319BBEB206FA19C89F7E7EACEF45B50F114065FA05EB1D0CAB05D00EBA4

Function 00BC8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00BC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC8D0D
Part of subcall function 00BC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC8D3A
Part of subcall function 00BC8CC3: GetLastError.KERNEL32 ref: 00BC8D47

_memset.LIBCMT ref: 00BC889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00BC88ED
CloseHandle.KERNEL32(?), ref: 00BC88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BC8915
GetProcessWindowStation.USER32 ref: 00BC892E
SetProcessWindowStation.USER32(00000000), ref: 00BC8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BC8952

Part of subcall function 00BC8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC8851), ref: 00BC8728
Part of subcall function 00BC8713: CloseHandle.KERNEL32(?,?,00BC8851), ref: 00BC873A

Strings

, xrefs: 00BC88AA
default, xrefs: 00BC894D
winsta0, xrefs: 00BC8910

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 219359bbdcc215015af3f453edbf3ef4bdc409a7579f56825086fa6b8267482b
Instruction ID: 9f05a3d722a8b337d9ee09282116e4cfe982ae15715512079347ce3663fa9bea
Opcode Fuzzy Hash: 219359bbdcc215015af3f453edbf3ef4bdc409a7579f56825086fa6b8267482b
Instruction Fuzzy Hash: EF81F47190021AAFDF119FA4DC45EBEBBB8EF04344F1841AAF924A7261DF718E15DB60

Function 00BE425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00BFF910), ref: 00BE4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00BE4292
GetClipboardData.USER32(0000000D), ref: 00BE429A
CloseClipboard.USER32 ref: 00BE42A6
GlobalLock.KERNEL32(00000000), ref: 00BE42C2
CloseClipboard.USER32 ref: 00BE42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00BE42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00BE42EE
GetClipboardData.USER32(00000001), ref: 00BE42F6
GlobalLock.KERNEL32(00000000), ref: 00BE4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00BE4337
CloseClipboard.USER32 ref: 00BE4447

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 9934b96df74fdfb34e68b7a05d4b1718384a61c3929bca857685699c1697f909
Instruction ID: 879c926d89b57246540a6007b4a1da4ff9b0c7b79864f25e12bb68d52b181452
Opcode Fuzzy Hash: 9934b96df74fdfb34e68b7a05d4b1718384a61c3929bca857685699c1697f909
Instruction Fuzzy Hash: 2C516831204242ABD311AB61EC96F7E77E8EF84B01F1045A9B69AD72A1DF70D904CB62

Function 00BDC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BDC9F8
FindClose.KERNEL32(00000000), ref: 00BDCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BDCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BDCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00BDCAAF
__swprintf.LIBCMT ref: 00BDCAFB
__swprintf.LIBCMT ref: 00BDCB3E

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

__swprintf.LIBCMT ref: 00BDCB92

Part of subcall function 00B938D8: __woutput_l.LIBCMT ref: 00B93931

__swprintf.LIBCMT ref: 00BDCBE0

Part of subcall function 00B938D8: __flsbuf.LIBCMT ref: 00B93953
Part of subcall function 00B938D8: __flsbuf.LIBCMT ref: 00B9396B

__swprintf.LIBCMT ref: 00BDCC2F
__swprintf.LIBCMT ref: 00BDCC7E
__swprintf.LIBCMT ref: 00BDCCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00BDCAF5
%4d, xrefs: 00BDCB38
%02d, xrefs: 00BDCB86, 00BDCB90, 00BDCBDE, 00BDCC2D, 00BDCC7C, 00BDCCCB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 442e80c758b654643f95ecb3180427bcfd4c1e3335393ecc45f0519c06a86256
Instruction ID: 59495fdcd5160d246c0172de602323f66f276f56d35119f4369898bbd721e5ad
Opcode Fuzzy Hash: 442e80c758b654643f95ecb3180427bcfd4c1e3335393ecc45f0519c06a86256
Instruction Fuzzy Hash: ADA13EB1508305ABC710EB64C9C5DAFB7ECFF94700F40496AF5AAD7191EA34DA09CB62

Function 00BDF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00BDF221
_wcscmp.LIBCMT ref: 00BDF236
_wcscmp.LIBCMT ref: 00BDF24D
GetFileAttributesW.KERNEL32(?), ref: 00BDF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00BDF279
FindNextFileW.KERNEL32(00000000,?), ref: 00BDF291
FindClose.KERNEL32(00000000), ref: 00BDF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00BDF2B8
_wcscmp.LIBCMT ref: 00BDF2DF
_wcscmp.LIBCMT ref: 00BDF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00BDF308
SetCurrentDirectoryW.KERNEL32(00C2A5A0), ref: 00BDF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BDF330
FindClose.KERNEL32(00000000), ref: 00BDF33D
FindClose.KERNEL32(00000000), ref: 00BDF34F

Strings

*.*, xrefs: 00BDF2B3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1a52069ec1058db674c76addc55deee60c97d474f8cea0af37317fdada971784
Instruction ID: e2405abd2e15e2277284e0dcd5525812a3cf5c44f50dc1d942a1b1931bd14246
Opcode Fuzzy Hash: 1a52069ec1058db674c76addc55deee60c97d474f8cea0af37317fdada971784
Instruction Fuzzy Hash: B931807650461B6BDB10DBA4EC89AFEB7ECDF08360F1441B6F815D32A0EB34DA45CA58

Function 00BF0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BF0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00BFF910,00000000,?,00000000,?,?), ref: 00BF0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BF0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BF0D1D
RegCloseKey.ADVAPI32(?), ref: 00BF103D
RegCloseKey.ADVAPI32(00000000), ref: 00BF104A

Strings

REG_EXPAND_SZ, xrefs: 00BF0CBA
REG_SZ, xrefs: 00BF0D5B
REG_MULTI_SZ, xrefs: 00BF0E05
REG_BINARY, xrefs: 00BF0FD8
REG_DWORD, xrefs: 00BF0F0E
REG_QWORD, xrefs: 00BF0F8B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 4a024ca7de0d47e546cecffdea8621fda6aa58d91e92d176b68287a2c13ceb21
Instruction ID: 8082684287a96515bd1c0c650c9bb13cc519b7154457712b685e321ffced26bd
Opcode Fuzzy Hash: 4a024ca7de0d47e546cecffdea8621fda6aa58d91e92d176b68287a2c13ceb21
Instruction Fuzzy Hash: 75025F756006119FDB14EF24C895E2AB7E5FF88724F0488ADF99A9B362CB30ED45CB41

Function 00BDF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00BDF37E
_wcscmp.LIBCMT ref: 00BDF393
_wcscmp.LIBCMT ref: 00BDF3AA

Part of subcall function 00BD45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BD45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00BDF3D9
FindClose.KERNEL32(00000000), ref: 00BDF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00BDF400
_wcscmp.LIBCMT ref: 00BDF427
_wcscmp.LIBCMT ref: 00BDF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00BDF450
SetCurrentDirectoryW.KERNEL32(00C2A5A0), ref: 00BDF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BDF478
FindClose.KERNEL32(00000000), ref: 00BDF485
FindClose.KERNEL32(00000000), ref: 00BDF497

Strings

*.*, xrefs: 00BDF3FB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 81455b22acf3f0fe76a0183f362b5327a1073371bddff375f8e0ab339003fd92
Instruction ID: 6a0c13389c5744878eab3a1d13576b2dec4f10ffac3c4588baf5ee0e64688428
Opcode Fuzzy Hash: 81455b22acf3f0fe76a0183f362b5327a1073371bddff375f8e0ab339003fd92
Instruction Fuzzy Hash: D531B37550521B6BCF109BA4EC88AFFB7ECDF09324F1401B6E805A32A1EB34DE44CA54

Function 00BC81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC8766
Part of subcall function 00BC874A: GetLastError.KERNEL32(?,00BC822A,?,?,?), ref: 00BC8770
Part of subcall function 00BC874A: GetProcessHeap.KERNEL32(00000008,?,?,00BC822A,?,?,?), ref: 00BC877F
Part of subcall function 00BC874A: HeapAlloc.KERNEL32(00000000,?,00BC822A,?,?,?), ref: 00BC8786
Part of subcall function 00BC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC879D

Part of subcall function 00BC87E7: GetProcessHeap.KERNEL32(00000008,00BC8240,00000000,00000000,?,00BC8240,?), ref: 00BC87F3
Part of subcall function 00BC87E7: HeapAlloc.KERNEL32(00000000,?,00BC8240,?), ref: 00BC87FA
Part of subcall function 00BC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BC8240,?), ref: 00BC880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC825B
_memset.LIBCMT ref: 00BC8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC828F
GetLengthSid.ADVAPI32(?), ref: 00BC82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00BC82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC82F9
GetLengthSid.ADVAPI32(?), ref: 00BC8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BC8325
HeapAlloc.KERNEL32(00000000), ref: 00BC832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC834D
CopySid.ADVAPI32(00000000), ref: 00BC8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC83BF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d8955f75226c7b0f4271b0dcf75c90fa39f642b50b613fabb7ee22e17bc2a33e
Instruction ID: d5f5447f26eb4ad6dddc5c51f51ef18b0ef0e0723d9aee3409d1cada0b8d10af
Opcode Fuzzy Hash: d8955f75226c7b0f4271b0dcf75c90fa39f642b50b613fabb7ee22e17bc2a33e
Instruction Fuzzy Hash: 80613D71A0010ABBDF109FA4DC84EBEBBB9FF44700F148269F915A7251DF319A05CB64

Function 00B86843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00BC16FA
LIMIT_RECURSION=, xrefs: 00BC1635
ANY), xrefs: 00BC1717
UTF16), xrefs: 00BC1508
BSR_UNICODE), xrefs: 00BC1771
UCP), xrefs: 00BC1546
BSR_ANYCRLF), xrefs: 00BC1757
LF), xrefs: 00BC16DD
UTF), xrefs: 00BC1533
ANYCRLF), xrefs: 00BC1734
LIMIT_MATCH=, xrefs: 00BC15A9
NO_AUTO_POSSESS), xrefs: 00BC1567
NO_START_OPT), xrefs: 00BC1588
CR), xrefs: 00BC16C0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: c8b69c28da337d88a6b15b8ab3a90ea2812f76575b8e0e3566ae074bed764847
Instruction ID: b280028a270942c0ea9dae1be509c4f146342c6f488a27d5e6bd1b1131e7cebc
Opcode Fuzzy Hash: c8b69c28da337d88a6b15b8ab3a90ea2812f76575b8e0e3566ae074bed764847
Instruction Fuzzy Hash: 77726F71E002199BDF14DF58C880BAEB7F5FF49310F1485AAE949EB291EB709D81CB90

Function 00BF0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BF0038,?,?), ref: 00BF10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BF0737

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BF07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BF086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BF0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00BF0ABA

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e86e4f912a0604f9c9ae3f700a7fe74be421681554f2e36ab3acffc508ef6716
Instruction ID: 0dc72eac65a51e762b3381ea1f64a95a1b623012cdc05ab5a5b2e9721e47fbbc
Opcode Fuzzy Hash: e86e4f912a0604f9c9ae3f700a7fe74be421681554f2e36ab3acffc508ef6716
Instruction Fuzzy Hash: 02E15D31214315AFCB14EF28C885E3ABBE5EF89714B0489ADF55ADB262DB30ED05CB51

Function 00BD0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BD0241
GetAsyncKeyState.USER32(000000A0), ref: 00BD02C2
GetKeyState.USER32(000000A0), ref: 00BD02DD
GetAsyncKeyState.USER32(000000A1), ref: 00BD02F7
GetKeyState.USER32(000000A1), ref: 00BD030C
GetAsyncKeyState.USER32(00000011), ref: 00BD0324
GetKeyState.USER32(00000011), ref: 00BD0336
GetAsyncKeyState.USER32(00000012), ref: 00BD034E
GetKeyState.USER32(00000012), ref: 00BD0360
GetAsyncKeyState.USER32(0000005B), ref: 00BD0378
GetKeyState.USER32(0000005B), ref: 00BD038A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b0d14a23b45afc6f67d8a489308f6653766d3913791ffcef3c4d51a55d412d1a
Instruction ID: 9579d16a9e84b4e76e61efb9df835e33e8bbd9cf535209bcb968bc14d93a3a5a
Opcode Fuzzy Hash: b0d14a23b45afc6f67d8a489308f6653766d3913791ffcef3c4d51a55d412d1a
Instruction Fuzzy Hash: 4D4174245257CA6AFB31AA6488083B5FAE0EF15350F4840DFD9C6477C2FA9499C8C7A6

Function 00BE86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

CoInitialize.OLE32 ref: 00BE8718
CoUninitialize.OLE32 ref: 00BE8723
CoCreateInstance.OLE32(?,00000000,00000017,00C02BEC,?), ref: 00BE8783
IIDFromString.OLE32(?,?), ref: 00BE87F6
VariantInit.OLEAUT32(?), ref: 00BE8890
VariantClear.OLEAUT32(?), ref: 00BE88F1

Strings

NULL Pointer assignment, xrefs: 00BE87C8
Failed to create object, xrefs: 00BE878E, 00BE8844
Invalid parameter, xrefs: 00BE880F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 89fab290c24c3bc6a31de0511f9b714c30fa405352489d55692ef1b33cbcd832
Instruction ID: 6bcf509d60180c2f6e91d4d73f5b6d2879ef18d5421fc000e0ff16998699b19a
Opcode Fuzzy Hash: 89fab290c24c3bc6a31de0511f9b714c30fa405352489d55692ef1b33cbcd832
Instruction Fuzzy Hash: 2B61CF70608B419FD710DF26D888B6BBBE8EF48714F10489DF9899B291DB70ED44CB92

Function 00BE4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00BE447F
EmptyClipboard.USER32 ref: 00BE4485
GlobalAlloc.KERNEL32(00000002,?), ref: 00BE449A
CloseClipboard.USER32 ref: 00BE4539

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6920fd1d6a45fb768f5156867a22c59793c658679e088c18af167e3aac85dd53
Instruction ID: 67b2eb09e34242a8ac0d64ab682ead02154cb05f35c73e06c34fadedf57c636f
Opcode Fuzzy Hash: 6920fd1d6a45fb768f5156867a22c59793c658679e088c18af167e3aac85dd53
Instruction Fuzzy Hash: 01215A35301212AFDB10AF65EC49B7E77E8EF54721F1080AAF94ADB2A1CF74A900CB54

Function 00BD3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B748A1,?,?,00B737C0,?), ref: 00B748CE

Part of subcall function 00BD4CD3: GetFileAttributesW.KERNEL32(?,00BD3947), ref: 00BD4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00BD3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00BD3B87
MoveFileW.KERNEL32(?,?), ref: 00BD3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00BD3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00BD3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00BD3BF5

Strings

\*.*, xrefs: 00BD3A8A, 00BD3A93, 00BD3AA8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: df874c9cbf1b3b219a1ccf5d1658bb5a566be463d7f49d85f4b72d33e25c7f6b
Instruction ID: fc614816df57757d9d503f5282e3990964fa4dd69ee61eceaf342b751579b61f
Opcode Fuzzy Hash: df874c9cbf1b3b219a1ccf5d1658bb5a566be463d7f49d85f4b72d33e25c7f6b
Instruction Fuzzy Hash: 9E516E318051499ACB15EBA0CD929EDB7F8EF14300F6481EAE45677192EF316F09CBA1

Function 00BDF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00BDF6AB
Sleep.KERNEL32(0000000A), ref: 00BDF6DB
_wcscmp.LIBCMT ref: 00BDF6EF
_wcscmp.LIBCMT ref: 00BDF70A
FindNextFileW.KERNEL32(?,?), ref: 00BDF7A8
FindClose.KERNEL32(00000000), ref: 00BDF7BE

Strings

*.*, xrefs: 00BDF690

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 4dcef636be7fae46f24317cf024d3b475549d5b48df6665c4a165e2bf258c64e
Instruction ID: 442a228dad289906e591799c96e7aed9af78b637ceb24e51cdc9743c2204b4f0
Opcode Fuzzy Hash: 4dcef636be7fae46f24317cf024d3b475549d5b48df6665c4a165e2bf258c64e
Instruction Fuzzy Hash: C0414E7590421A9BDF15DF64CC85AFEBBF4FF05310F1445A6E81AA72A1EB309E44CB90

Function 00B84140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B844DB
VUUU, xrefs: 00B84520
ERCP, xrefs: 00B8421F
VUUU, xrefs: 00B844ED
VUUU, xrefs: 00BB7B0C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 43220a1bee498146a647ac1b078f568eaee005e61e0d757eed28834687607097
Instruction ID: e82909b93e213056fc57ff212e32f55dbef6d3d6e8fac3827c17ea67c7383078
Opcode Fuzzy Hash: 43220a1bee498146a647ac1b078f568eaee005e61e0d757eed28834687607097
Instruction Fuzzy Hash: 96A25974A0421ACBDF24EF58C9907FDB7F1EB54314F2481EAD85AA7290EB709E85CB50

Function 00B858C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B85A05
_memmove.LIBCMT ref: 00B85A55
_memmove.LIBCMT ref: 00B85ABB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2a45a4db17833072ad8c9a2819804763f912b462eb0ac9b3c39930cc5ab5fb4c
Instruction ID: 4f2d908974d747066ed9b28d02227dbb6d8eb007d381d24f845b28c9a1fd1590
Opcode Fuzzy Hash: 2a45a4db17833072ad8c9a2819804763f912b462eb0ac9b3c39930cc5ab5fb4c
Instruction Fuzzy Hash: CB127B70A00609DFDF24EFA4D985BAEB7F5FF48300F1085A9E416A7261EB36AD15CB50

Function 00BD545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC8D0D
Part of subcall function 00BC8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC8D3A
Part of subcall function 00BC8CC3: GetLastError.KERNEL32 ref: 00BC8D47

ExitWindowsEx.USER32(?,00000000), ref: 00BD549B

Strings

, xrefs: 00BD5489
@, xrefs: 00BD548E
SeShutdownPrivilege, xrefs: 00BD546B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ed18970359197d389a20c9486a25c2445817a7851f50dc898ae9f065090066a1
Instruction ID: 65a660dd40598ac4472a90ef5c9dba212e4ea65586992e2a04de3cf405ed1167
Opcode Fuzzy Hash: ed18970359197d389a20c9486a25c2445817a7851f50dc898ae9f065090066a1
Instruction Fuzzy Hash: E3012871654A121AF7385674DC8AFB6F2D8EF04352F2000A7FC0AD33D6F9500C808992

Function 00BE6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BE65EF
WSAGetLastError.WSOCK32(00000000), ref: 00BE65FE
bind.WSOCK32(00000000,?,00000010), ref: 00BE661A
listen.WSOCK32(00000000,00000005), ref: 00BE6629
WSAGetLastError.WSOCK32(00000000), ref: 00BE6643
closesocket.WSOCK32(00000000,00000000), ref: 00BE6657

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 033560e0390b9b50440a240b1a9271fad321e66178273ee5b758d003e957d8d5
Instruction ID: 432330339ce7dc679263133ea963b82c7966bf4e2535cc47812f3a719f5de4a9
Opcode Fuzzy Hash: 033560e0390b9b50440a240b1a9271fad321e66178273ee5b758d003e957d8d5
Instruction Fuzzy Hash: EB218D302002059FCB10AF24C889B7EB7F9EF44360F1481A9E96AA73D1CB70AD01CB51

Function 00B85680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00B90FF6: std::exception::exception.LIBCMT ref: 00B9102C
Part of subcall function 00B90FF6: __CxxThrowException@8.LIBCMT ref: 00B91041

_memmove.LIBCMT ref: 00BC062F
_memmove.LIBCMT ref: 00BC0744
_memmove.LIBCMT ref: 00BC07EB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: fb313bc54b83b2cc0de7660fa2caaa6728fc66ddce8c6e55191a449dbecd1d64
Instruction ID: 682a0f42dbc752c48174f946feb4152343e7f36c8ce4b24def30f7695fe9acb4
Opcode Fuzzy Hash: fb313bc54b83b2cc0de7660fa2caaa6728fc66ddce8c6e55191a449dbecd1d64
Instruction Fuzzy Hash: A2025D70A10209DBDF14EF64D981BAEBBF5EF44300F1480E9E80AEB255EB359E55CB91

Function 00B71287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B719FA
GetSysColor.USER32(0000000F), ref: 00B71A4E
SetBkColor.GDI32(?,00000000), ref: 00B71A61

Part of subcall function 00B71290: DefDlgProcW.USER32(?,00000020,?), ref: 00B712D8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 973ecb24fb60bcea2bb9f769a16f8459ccb0e0a35cba73eb11846984f6b5e23c
Instruction ID: df8245b767aa73a4842d1b631fe8af85dbb449a2d91900dd754e29c9dc007708
Opcode Fuzzy Hash: 973ecb24fb60bcea2bb9f769a16f8459ccb0e0a35cba73eb11846984f6b5e23c
Instruction Fuzzy Hash: 8CA15871109548BAD628AB2C8C84E7F39DDDB46351F14C9DAF53AD7193EE20CD42D2B2

Function 00BE6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BE80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BE6AB1
WSAGetLastError.WSOCK32(00000000), ref: 00BE6ADA
bind.WSOCK32(00000000,?,00000010), ref: 00BE6B13
WSAGetLastError.WSOCK32(00000000), ref: 00BE6B20
closesocket.WSOCK32(00000000,00000000), ref: 00BE6B34

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d12e5860f03d1b0b1cdf6d83ebdfa9256a7fb52f51ed9bb8b795fadcc75a48fd
Instruction ID: 9a1f3997c11192c9d257ae813cee673c6c80c5a2aed100a8f63ba6726f661e62
Opcode Fuzzy Hash: d12e5860f03d1b0b1cdf6d83ebdfa9256a7fb52f51ed9bb8b795fadcc75a48fd
Instruction Fuzzy Hash: AE417575640210AFEB10AF649C86F7E77E5DF44720F44C0A8F95AAB3D2DB709D008791

Function 00BF55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00BF564C
IsWindowEnabled.USER32 ref: 00BF565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00BF5667
IsIconic.USER32 ref: 00BF5675
IsZoomed.USER32 ref: 00BF5683

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e94b2ca3d6e281c7883f3ae643422125123d161c4e3c332bf5da62dc5c12adf8
Instruction ID: 291c225fb8a3171dbeb925d6a26df124acbf38d7747e21903a92f38532a15f27
Opcode Fuzzy Hash: e94b2ca3d6e281c7883f3ae643422125123d161c4e3c332bf5da62dc5c12adf8
Instruction Fuzzy Hash: EA1190317009157BEB211F26DC44B3ABBD8EF94721B458079EB2AD7241CB309901CAA4

Function 00BEC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BB1D88,?), ref: 00BEC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BEC324

Strings

kernel32.dll, xrefs: 00BEC30D
GetSystemWow64DirectoryW, xrefs: 00BEC31E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 3b30c8110c3c96c82d68e303c74867f89b96a750de7e1c89b0776362f25a2dbf
Instruction ID: a66bb303af8c751dc40ba768651504c1cb6cc5fbcee3d07277f778e31f8907d9
Opcode Fuzzy Hash: 3b30c8110c3c96c82d68e303c74867f89b96a750de7e1c89b0776362f25a2dbf
Instruction Fuzzy Hash: F1E01274610713CFDB344F2AD844BA67AE4EF09756B80C4B9E896D3660EB70D841CB60

Function 00B83190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 233b3c495028c50bcb8a9c0d15c5e02e7698ade7a9a9c23cfb3356daf41eaa78
Instruction ID: f204d34eef1cca542db517468710d684bd1f7602a79b7d9e59d97cad3016825c
Opcode Fuzzy Hash: 233b3c495028c50bcb8a9c0d15c5e02e7698ade7a9a9c23cfb3356daf41eaa78
Instruction Fuzzy Hash: D6227E715083019FC724EF14C891BAFB7E4EF94B10F1489ADF59A972A1DB71EA04CB92

Function 00BEF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00BEF151
Process32FirstW.KERNEL32(00000000,?), ref: 00BEF15F

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Process32NextW.KERNEL32(00000000,?), ref: 00BEF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00BEF22E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: a66ae3fe08ea4110651b4ab990ac84d01ec7ec004f78078c6e230454849a1bf1
Instruction ID: 5b1cc2003848af1896301f2285ed205007f58d2ffba35e1ccaa2a61ed8e7ae96
Opcode Fuzzy Hash: a66ae3fe08ea4110651b4ab990ac84d01ec7ec004f78078c6e230454849a1bf1
Instruction Fuzzy Hash: 9D516F715043419FD310EF24DC85E6BB7E8EF94710F50886DF5AA97291EB70EA04CB92

Function 00BD40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00BD40D1
_memset.LIBCMT ref: 00BD40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00BD4144
CloseHandle.KERNEL32(00000000), ref: 00BD414D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d2e6991c947b2ce3b86df8e5fed445b5a8270a78fe203edcf23972d0779d46ad
Instruction ID: 5d937c57e516450f2f35a596388d8e973cc745055f4c176557f1d6a0d24879fa
Opcode Fuzzy Hash: d2e6991c947b2ce3b86df8e5fed445b5a8270a78fe203edcf23972d0779d46ad
Instruction Fuzzy Hash: 5811AB759012287AD7305BA59C4DFBBBBBCEF44760F1041E6F908E7280D6744E80CBA4

Function 00BCEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BCEB19

Strings

|, xrefs: 00BCEB49
(, xrefs: 00BCEB5F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 289a5697764abba9466339a83f189e9d0d2a9aed4e009b94b84994fc9335e3ae
Instruction ID: cd17425521621308bb54704567b1f82f460e2c10557bc6882d4dbba35dd45cab
Opcode Fuzzy Hash: 289a5697764abba9466339a83f189e9d0d2a9aed4e009b94b84994fc9335e3ae
Instruction Fuzzy Hash: C132F275A00605DFDB28CF19C481E6AB7F1FF48710B15C5AEE9AA9B2A1D770E941CB40

Function 00BE25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00BE26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00BE270C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 72da3204279a402e04189552f9fcdd81ce05b9efd73fa9325f319917ce925972
Instruction ID: 163ff438c2e1f0be7a8cc58d40f61eaacddb14604e411a68724b982ff8e6bb6e
Opcode Fuzzy Hash: 72da3204279a402e04189552f9fcdd81ce05b9efd73fa9325f319917ce925972
Instruction Fuzzy Hash: 9B41C171A00249BFEB209B96DCC5EBBB7FCEB40724F1041AAFA01A6140EB719E419760

Function 00BDB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BDB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BDB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00BDB655

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8da3f10f069d72cba9d5ee2410f78b2edb2e979c7cb534ff5bf6f9faf73574f7
Instruction ID: f01d83d1fc4217638792ddd4ddb6d0e5b4cf5ae59ad2b181aafaf2ecbbe39163
Opcode Fuzzy Hash: 8da3f10f069d72cba9d5ee2410f78b2edb2e979c7cb534ff5bf6f9faf73574f7
Instruction Fuzzy Hash: 12213C35A00518EFCB00EFA5D884EADFBF8FF88310F1580AAE945AB351DB31A955CB51

Function 00BC8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B90FF6: std::exception::exception.LIBCMT ref: 00B9102C
Part of subcall function 00B90FF6: __CxxThrowException@8.LIBCMT ref: 00B91041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BC8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BC8D3A
GetLastError.KERNEL32 ref: 00BC8D47

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 878ff76f55489e1f5597a1aededa65098440e33f8041aee69986bf691c23d342
Instruction ID: 0cc66a6562d94fd513b56f4c227fdcd967dcd4670ee22d3102f1d2e0cd7d9fe8
Opcode Fuzzy Hash: 878ff76f55489e1f5597a1aededa65098440e33f8041aee69986bf691c23d342
Instruction Fuzzy Hash: F8118CB1814209AFE728AF68DC85E7BB7F8EF44711B20856EF45697241EF30AC40CB64

Function 00BD4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BD4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BD4C43
FreeSid.ADVAPI32(?), ref: 00BD4C53

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 659b60932cf3c1b067b246ce74c6b64ef749da7b569b60b4a431b94cfefcba50
Instruction ID: 8bda4e1663cdde1e994b7c295d6e90ccbb77448b8212819e6798befa104c8a0a
Opcode Fuzzy Hash: 659b60932cf3c1b067b246ce74c6b64ef749da7b569b60b4a431b94cfefcba50
Instruction Fuzzy Hash: 72F0E775A51209BBDB04DFF49D89ABEBBB8EF08211F5044A9A901E3281EA756A448B50

Function 00B7E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e490386abd21fdfc0fe0726ae7ebcb1783659ec33ea9d07384b9429c542011fb
Instruction ID: ef49d8beb9b3e6296f018b1baebc6f2a54a17b10e19035171b3df2c3c42be40c
Opcode Fuzzy Hash: e490386abd21fdfc0fe0726ae7ebcb1783659ec33ea9d07384b9429c542011fb
Instruction Fuzzy Hash: 7F226A70A002169FDB24DF58C481AAEB7F1FF08304F14C5E9E86AAB351E775E985CB91

Function 00BDC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00BDC966
FindClose.KERNEL32(00000000), ref: 00BDC996

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a377838086e6c1b6fe4a9a7d7f9626508af4468eada332d45616ccfe61453684
Instruction ID: b80d2cc6016f1300bef625f35d3d5daedcc2e9f9420e1e609cf46b2cced84672
Opcode Fuzzy Hash: a377838086e6c1b6fe4a9a7d7f9626508af4468eada332d45616ccfe61453684
Instruction Fuzzy Hash: FE115E726106019FDB10EF29D885A2AF7E9EF84324F00856EF9A9D7391DB34AD05CB81

Function 00BDA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00BE977D,?,00BFFB84,?), ref: 00BDA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00BE977D,?,00BFFB84,?), ref: 00BDA314

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8d0996221f1d2b0910f14a4d898d5da7b8e062c7f44bc6a2df4eb9bf09633d16
Instruction ID: 36c2227d144ea9d565e586952e7173bf6d526e958b8ec65016e93a21ea333894
Opcode Fuzzy Hash: 8d0996221f1d2b0910f14a4d898d5da7b8e062c7f44bc6a2df4eb9bf09633d16
Instruction Fuzzy Hash: D5F0823554422DABDB109FA4CC48FFA77ADFF09761F0081A6F918D7281DA309940CBA5

Function 00BC8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BC8851), ref: 00BC8728
CloseHandle.KERNEL32(?,?,00BC8851), ref: 00BC873A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 82868d7d665cb619cad8fb3e9f1492d2861470cf66973cb12e2687ca55847601
Instruction ID: c1494745be6e084dbe29fe99885833a1e81a40a099bbaa3ded7ced9a989430b6
Opcode Fuzzy Hash: 82868d7d665cb619cad8fb3e9f1492d2861470cf66973cb12e2687ca55847601
Instruction Fuzzy Hash: 55E0EC76010612EFEB252B64EC09E777BE9EF04390724897DF4A681470DF63AC90EB14

Function 00B9A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B98F97,?,?,?,00000001), ref: 00B9A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B9A3A3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f87e8734cdc4bd11876372194ec5e72dd6901e518857498606abaeac53727348
Instruction ID: 6f2b761776f85585b8e34f9074d1f4d56b09e15ce108d470850fb943d4955915
Opcode Fuzzy Hash: f87e8734cdc4bd11876372194ec5e72dd6901e518857498606abaeac53727348
Instruction Fuzzy Hash: 85B0923105420AABCA102B91EC09BB83F6AEF44BA2F404020F60D87060CF625450CA99

Function 00B9F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa53e91cb3b788534bd0fd4df8cf79d6716d121d2c52753a8db71f105672562
Instruction ID: 16ad141f41131ab7507ea82b9c06c35f34d0a19d98c656ffce71edb06849eff2
Opcode Fuzzy Hash: 0aa53e91cb3b788534bd0fd4df8cf79d6716d121d2c52753a8db71f105672562
Instruction Fuzzy Hash: 99322621D69F024EDB279634D87233AA298EFB73D4F15D737E819B59A6EB28D4834100

Function 00BA267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effe33fbb5d566abbe23e63253e634498b1ed532236b60a77231ac3f21c2a923
Instruction ID: 08254e424ee849f6f6538ffeb31022a34e44749361bba0e4c0686c2427af9df0
Opcode Fuzzy Hash: effe33fbb5d566abbe23e63253e634498b1ed532236b60a77231ac3f21c2a923
Instruction Fuzzy Hash: F5B11220D2AF414DD7239639883133ABB9CAFBB6D5F52D71BFC2670D62EB2185838141

Function 00BD8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00BD8B25

Part of subcall function 00B9543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00BD91F8,00000000,?,?,?,?,00BD93A9,00000000,?), ref: 00B95443
Part of subcall function 00B9543A: __aulldiv.LIBCMT ref: 00B95463

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 9d21c6d72d69c71ed0f32c0cb61004c735826199ff643a4776a2f7ca48b64247
Instruction ID: 2d3f2bada73859156935410792c1e4e84079381e9a7afa1298d013a8051de15f
Opcode Fuzzy Hash: 9d21c6d72d69c71ed0f32c0cb61004c735826199ff643a4776a2f7ca48b64247
Instruction Fuzzy Hash: CA21E4B26356108FC729CF29D841B52F3E1EBA4311B288F6DD0E9CB2D0DA35B905CB94

Function 00BE41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00BE4218

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3eaed9692d1b5794b806c2a0731246046bffd4860eef343b6fc0049a0fd45217
Instruction ID: d673b1c51f04bcf4061b13ed1121bd03ace21887946ff4863192c59f6cebfbe6
Opcode Fuzzy Hash: 3eaed9692d1b5794b806c2a0731246046bffd4860eef343b6fc0049a0fd45217
Instruction Fuzzy Hash: B3E04F31250214AFC710EF6AD844A9AF7E8EF95760F00C0A6FD49C7352DB70E841CBA0

Function 00BD4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00BD4F18

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: c87dd8947c1a43cee6fc574833b771bd37cc08a3418d3c8b5c905cb4c4a8f060
Instruction ID: 9725381c888caa002a37a3a2c8b5d3c9dd829222c9735d1b56b0569d106c1a00
Opcode Fuzzy Hash: c87dd8947c1a43cee6fc574833b771bd37cc08a3418d3c8b5c905cb4c4a8f060
Instruction Fuzzy Hash: D3D05EB01642053BFC284B20AC0FF768288E341781F8449DB32098A6E1BAF16800E134

Function 00BC8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00BC88D1), ref: 00BC8CB3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: d020bf299aef92e6a7fd0f31207b4dcae580bc76b5d25f3e51e13e571350418c
Instruction ID: 89e6904db034e8b6c3820f980e298ff4ce1db0233cf47e60b6b1b761ec75cd60
Opcode Fuzzy Hash: d020bf299aef92e6a7fd0f31207b4dcae580bc76b5d25f3e51e13e571350418c
Instruction Fuzzy Hash: 49D05E3226050EABEF018EA4DC01EBE3B69EB04B01F408111FE15C60A1CB75D835EB60

Function 00BB2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BB2242

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7ebf1bf4afc0ef99bd9d93b2d01a367c06d28fb30fca654b28d2de134dcb685c
Instruction ID: 718d843c65873b7c3170defeb730fd407355b92fe104b1f3e6b935189179ed41
Opcode Fuzzy Hash: 7ebf1bf4afc0ef99bd9d93b2d01a367c06d28fb30fca654b28d2de134dcb685c
Instruction Fuzzy Hash: DBC04CF1811109DBDB15DFA0D998DFE77BCAB04304F104495A101F3100DB749B44CE71

Function 00B9A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B9A36A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5b492e3397b9aecd1c0f20fcf0f74625be28d6a2d553b074497f2c42d151d408
Instruction ID: ce165f166f6b94d76cdc1b8621444e7dbfc4918925e3fd15f4e81ee349de80e7
Opcode Fuzzy Hash: 5b492e3397b9aecd1c0f20fcf0f74625be28d6a2d553b074497f2c42d151d408
Instruction Fuzzy Hash: C7A0123000010DA78A001B41EC044647F6DDA002907004020F40C420218B3254108584

Function 00B88A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1366949eca1012ef3e4e202fec7b2eabe04f52ac609ee07a155765688d8a1fc6
Instruction ID: c3cbe34d64a19e646d8bcd479aeeea14252be5b64d2a78edd8ced5cd97d7fa8b
Opcode Fuzzy Hash: 1366949eca1012ef3e4e202fec7b2eabe04f52ac609ee07a155765688d8a1fc6
Instruction Fuzzy Hash: CF220530505616CBDF38AB29C4D4B7D77E2EB41340FA885EAD8429B6A5DB34ADC1CF60

Function 00B92405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 6ac0bfccd917a5225dad9c9c0e973141d7539e69c5afda9b07ed43b75e8b10cc
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 95C1733260519309DF2D473D947413EBAE19EA27B131A0BFDE4B2DB5D5EF20D524E620

Function 00B9283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 54a640ddc237df2d37f51ed2df6292e8ba9cbb7907ad2d3367e5dc235245526e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 6DC1833260519309DF6D473E947413EBBE19AA27B131A0BFDE4B2DB5D4EF20D524A620

Function 00B91BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ab0c4c2cae5d02786d177586c8ae41eeac7564e821bdfdcf515f736b8b8d8faa
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 49C1513620519309DF2D463D947413EBAE1DAA27B171A0FFDE4B2DB5D4EF20D524B620

Function 02573670 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: c7292479e3ff1ebb8946d47c3526be325af27dfc1bf4557c61a09bc555fd8171
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 1E41B3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 02573560 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: f7b44b8a3059de0956b586711457c11cbd14d212fe9aaebdf0d2d16c0c9f5248
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 76018078A10109EFCB44DF98D5909AEFBB5FB88320F608699D809A7701D730AE41DB84

Function 02573500 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: b8c193dae34e0c994ada97e723d74f21d59f79306204a68c3e7bc3da183db416
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 73019674A04109EFCB44DF98D5909ADF7B5FB48310F2085D9D819A7701D730AE41DB84

Function 02571ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1361446928.0000000002570000.00000040.00001000.00020000.00000000.sdmp, Offset: 02570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2570000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00BE7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BE7B70
DeleteObject.GDI32(00000000), ref: 00BE7B82
DestroyWindow.USER32 ref: 00BE7B90
GetDesktopWindow.USER32 ref: 00BE7BAA
GetWindowRect.USER32(00000000), ref: 00BE7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00BE7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00BE7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7D4A
GetClientRect.USER32(00000000,?), ref: 00BE7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BE7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7DF8
GlobalFree.KERNEL32(00000000), ref: 00BE7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00C02CAC,00000000), ref: 00BE7E2B
GlobalFree.KERNEL32(00000000), ref: 00BE7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00BE7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00BE7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BE808F

Strings

, xrefs: 00BE8015
AutoIt v3, xrefs: 00BE7D42
DISPLAY, xrefs: 00BE7EF2
static, xrefs: 00BE7D8A, 00BE7EE1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f858375fcdf83a8b57b6cd926c135da76f6f2fe7066be8886b29b419cd54f0d6
Instruction ID: 784f03deb34a31fbba4bfae6e2a913cc60c9cecca38215700bfe2d8d0414be03
Opcode Fuzzy Hash: f858375fcdf83a8b57b6cd926c135da76f6f2fe7066be8886b29b419cd54f0d6
Instruction Fuzzy Hash: E0024971900159AFDB14DFA5DC89EBE7BF9EF48310F148598F919AB2A1CB70AD01CB60

Function 00BF37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00BFF910), ref: 00BF38AF
IsWindowVisible.USER32(?), ref: 00BF38D3

Strings

CHECK, xrefs: 00BF3AF5
FINDSTRING, xrefs: 00BF39FE
ISCHECKED, xrefs: 00BF3AC1
GETLINE, xrefs: 00BF3C23
SENDCOMMANDID, xrefs: 00BF3C62
GETSELECTED, xrefs: 00BF3B2B
GETCURRENTLINE, xrefs: 00BF3B75
CURRENTTAB, xrefs: 00BF3945
TABRIGHT, xrefs: 00BF3925
GETCURRENTSELECTION, xrefs: 00BF3A6B
EDITPASTE, xrefs: 00BF3BE7
SELECTSTRING, xrefs: 00BF3A8E
ADDSTRING, xrefs: 00BF399E
SETCURRENTSELECTION, xrefs: 00BF3A3E
UNCHECK, xrefs: 00BF3B0B
TABLEFT, xrefs: 00BF390F
SHOWDROPDOWN, xrefs: 00BF3968
GETCURRENTCOL, xrefs: 00BF3BB0
ISVISIBLE, xrefs: 00BF38BF
HIDEDROPDOWN, xrefs: 00BF3988
GETLINECOUNT, xrefs: 00BF3B4E
ISENABLED, xrefs: 00BF38F3
DELSTRING, xrefs: 00BF39D1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 844a321d530abc83da7221d35fae35402c1d4c27c29ea33a846f542813d8b3da
Instruction ID: 1d2edd74eb1be80df4a7b767d416661f93ea3a8c1c0908199c0351d5ad5708ad
Opcode Fuzzy Hash: 844a321d530abc83da7221d35fae35402c1d4c27c29ea33a846f542813d8b3da
Instruction Fuzzy Hash: C4D16C302043199BCB14EF24C491A7ABBE5EF94754F1484ECF9865B7A2CB31EE4ACB41

Function 00BFA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00BFA89F
GetSysColorBrush.USER32(0000000F), ref: 00BFA8D0
GetSysColor.USER32(0000000F), ref: 00BFA8DC
SetBkColor.GDI32(?,000000FF), ref: 00BFA8F6
SelectObject.GDI32(?,?), ref: 00BFA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00BFA930
GetSysColor.USER32(00000010), ref: 00BFA938
CreateSolidBrush.GDI32(00000000), ref: 00BFA93F
FrameRect.USER32(?,?,00000000), ref: 00BFA94E
DeleteObject.GDI32(00000000), ref: 00BFA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00BFA9A0
FillRect.USER32(?,?,?), ref: 00BFA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00BFA9FD

Part of subcall function 00BFAB60: GetSysColor.USER32(00000012), ref: 00BFAB99
Part of subcall function 00BFAB60: SetTextColor.GDI32(?,?), ref: 00BFAB9D
Part of subcall function 00BFAB60: GetSysColorBrush.USER32(0000000F), ref: 00BFABB3
Part of subcall function 00BFAB60: GetSysColor.USER32(0000000F), ref: 00BFABBE
Part of subcall function 00BFAB60: GetSysColor.USER32(00000011), ref: 00BFABDB
Part of subcall function 00BFAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BFABE9
Part of subcall function 00BFAB60: SelectObject.GDI32(?,00000000), ref: 00BFABFA
Part of subcall function 00BFAB60: SetBkColor.GDI32(?,00000000), ref: 00BFAC03
Part of subcall function 00BFAB60: SelectObject.GDI32(?,?), ref: 00BFAC10
Part of subcall function 00BFAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00BFAC2F
Part of subcall function 00BFAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BFAC46
Part of subcall function 00BFAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00BFAC5B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4295be73d4e7fce0caa436c4b07a8a405375a5eae3c453b0de279fcd579bbe52
Instruction ID: 4d612a9bd767736f4bffd0a7843bd5af90d3ca23cc5a62745b7ed6a5f35fa6ff
Opcode Fuzzy Hash: 4295be73d4e7fce0caa436c4b07a8a405375a5eae3c453b0de279fcd579bbe52
Instruction Fuzzy Hash: D5A190B1008306AFD7149F64DC48A7B7BE9FF88321F104A29FA66971A0DB71D944CB52

Function 00B72C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00B72CA2
DeleteObject.GDI32(00000000), ref: 00B72CE8
DeleteObject.GDI32(00000000), ref: 00B72CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00B72CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00B72D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BAC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BAC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BACAED

Part of subcall function 00B71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B72036,?,00000000,?,?,?,?,00B716CB,00000000,?), ref: 00B71B9A

SendMessageW.USER32(?,00001053), ref: 00BACB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BACB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BACB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BACB62

Strings

0, xrefs: 00BAC981

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 37b0d828c81311af1f1e83c4dec9d0c32792514cd4542e1f9f4caa5849c867ee
Instruction ID: bb8ff1c602f910cb9ae26516c56ccef100d3343b47e2cc5245ff53656ff058a8
Opcode Fuzzy Hash: 37b0d828c81311af1f1e83c4dec9d0c32792514cd4542e1f9f4caa5849c867ee
Instruction Fuzzy Hash: 8B127F30608201EFDB25CF24C984BB9BBE5FF56310F5485A9E999DB262CB31EC51CB91

Function 00BE77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00BE77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BE78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BE78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00BE7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00BE7946
GetClientRect.USER32(00000000,?), ref: 00BE7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BE7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BE79A5
GetStockObject.GDI32(00000011), ref: 00BE79B5
SelectObject.GDI32(00000000,00000000), ref: 00BE79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00BE79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE79D2
DeleteDC.GDI32(00000000), ref: 00BE79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BE7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00BE7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BE7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BE7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00BE7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BE7AAE
GetStockObject.GDI32(00000011), ref: 00BE7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BE7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00BE7ACE

Strings

AutoIt v3, xrefs: 00BE793E
DISPLAY, xrefs: 00BE799B
static, xrefs: 00BE7990, 00BE7AA8
msctls_progress32, xrefs: 00BE7A4F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: f5bf6db98161226305f7b264b5774f79e6961bca80104218892fb93918a2dffe
Instruction ID: 7245fef6de151ebd6a85fb569663abced5754917f27feecf5a659f96b726f24f
Opcode Fuzzy Hash: f5bf6db98161226305f7b264b5774f79e6961bca80104218892fb93918a2dffe
Instruction Fuzzy Hash: A2A16D71A40219BFEB149BA5DC4AFBF7BA9EF48710F008154FA15A72E0DB71AD10CB64

Function 00BDAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BDAF89
GetDriveTypeW.KERNEL32(?,00BFFAC0,?,\\.\,00BFF910), ref: 00BDB066
SetErrorMode.KERNEL32(00000000,00BFFAC0,?,\\.\,00BFF910), ref: 00BDB1C4

Strings

Fixed, xrefs: 00BDB0AE
USB, xrefs: 00BDB15B
SSA, xrefs: 00BDB14D
ATA, xrefs: 00BDB13F
SSD, xrefs: 00BDB0F1
FileBackedVirtual, xrefs: 00BDB193
RAID, xrefs: 00BDB162
Unknown, xrefs: 00BDB086, 00BDB12A
RAMDisk, xrefs: 00BDB090
SATA, xrefs: 00BDB177
Network, xrefs: 00BDB0A4
iSCSI, xrefs: 00BDB169
ATAPI, xrefs: 00BDB138
PhysicalDrive, xrefs: 00BDB012
\\.\, xrefs: 00BDAFDB
SAS, xrefs: 00BDB170
CDROM, xrefs: 00BDB09A
Virtual, xrefs: 00BDB18C
MMC, xrefs: 00BDB185
Removable, xrefs: 00BDB0B8
Fibre, xrefs: 00BDB154
SCSI, xrefs: 00BDB131
1394, xrefs: 00BDB146

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6f8e41732f39dc21c89f781f19acb33ef4bd42d2347048a163537e9fbf2660ec
Instruction ID: ddfe8b68f5518677a0da888ad5b7cec609f254b23cd0e2f8f19c64c007fc508c
Opcode Fuzzy Hash: 6f8e41732f39dc21c89f781f19acb33ef4bd42d2347048a163537e9fbf2660ec
Instruction Fuzzy Hash: 0F519C30690305EB8B04DB10D9A2EB9F3F1EB54B41B2280E7E42AB7791EB759D41DB46

Function 00B76A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B76A91
__wcsnicmp.LIBCMT ref: 00B76AA9
__wcsnicmp.LIBCMT ref: 00B76AC1
__wcsnicmp.LIBCMT ref: 00B76AD9
__wcsnicmp.LIBCMT ref: 00B76AF1
__wcsnicmp.LIBCMT ref: 00B76B09
__wcsnicmp.LIBCMT ref: 00B76B21
__wcsnicmp.LIBCMT ref: 00B76B35
__wcsnicmp.LIBCMT ref: 00B76B76
__wcsnicmp.LIBCMT ref: 00B76B8A
__wcsnicmp.LIBCMT ref: 00B76B9E
__wcsnicmp.LIBCMT ref: 00B76BB2

Strings

#cs, xrefs: 00B76B2F, 00B76B84
#comments-end, xrefs: 00B76B98
Cannot parse #include, xrefs: 00BAE819
#pragma compile, xrefs: 00B76A8B
#ce, xrefs: 00B76BAC
#OnAutoItStartRegister, xrefs: 00B76AD3
#comments-start, xrefs: 00B76B1B, 00B76B70
Bad directive syntax error, xrefs: 00BAE743
#include, xrefs: 00B76B03
#notrayicon, xrefs: 00B76AA3
#requireadmin, xrefs: 00B76ABB
Unterminated group of comments, xrefs: 00BAE82C
#include-once, xrefs: 00B76AEB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 2ffc1d7f9466092f8ef85dfdfd96866926bc5f9b8ccd679a117151102723cdf4
Instruction ID: 1b283b49c40209908d77e6c366c2980de54bcfa8c14887fff8f8c98538ca3519
Opcode Fuzzy Hash: 2ffc1d7f9466092f8ef85dfdfd96866926bc5f9b8ccd679a117151102723cdf4
Instruction Fuzzy Hash: 2F810970644605BACF20AB60CC83FBE77E8EF16700F0480F5F969AA1D2EB61DE55D261

Function 00BFAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00BFAB99
SetTextColor.GDI32(?,?), ref: 00BFAB9D
GetSysColorBrush.USER32(0000000F), ref: 00BFABB3
GetSysColor.USER32(0000000F), ref: 00BFABBE
CreateSolidBrush.GDI32(?), ref: 00BFABC3
GetSysColor.USER32(00000011), ref: 00BFABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BFABE9
SelectObject.GDI32(?,00000000), ref: 00BFABFA
SetBkColor.GDI32(?,00000000), ref: 00BFAC03
SelectObject.GDI32(?,?), ref: 00BFAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00BFAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BFAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00BFAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BFACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BFACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00BFACEC
DrawFocusRect.USER32(?,?), ref: 00BFACF7
GetSysColor.USER32(00000011), ref: 00BFAD05
SetTextColor.GDI32(?,00000000), ref: 00BFAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BFAD21
SelectObject.GDI32(?,00BFA869), ref: 00BFAD38
DeleteObject.GDI32(?), ref: 00BFAD43
SelectObject.GDI32(?,?), ref: 00BFAD49
DeleteObject.GDI32(?), ref: 00BFAD4E
SetTextColor.GDI32(?,?), ref: 00BFAD54
SetBkColor.GDI32(?,?), ref: 00BFAD5E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0ee532e19809dd5eb8a41df3f198c22c7512778228cbf22fb2371061a23787eb
Instruction ID: 2372f52926e5a09c2901df4b407895acca574e23af6885058dcc2f7df885a190
Opcode Fuzzy Hash: 0ee532e19809dd5eb8a41df3f198c22c7512778228cbf22fb2371061a23787eb
Instruction Fuzzy Hash: 4C613FB1900219FFDF159FA4DC48EBE7BB9EF08320F104165FA15AB2A1DA759E40DB90

Function 00BF8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BF8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF8D45
CharNextW.USER32(0000014E), ref: 00BF8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BF8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BF8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BF8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00BF8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BF8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF8E8C
_memset.LIBCMT ref: 00BF8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BF8EFA
_memset.LIBCMT ref: 00BF8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BF8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00BF8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00BF9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00BF90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BF90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BF9121
DrawMenuBar.USER32(?), ref: 00BF9130
SetWindowTextW.USER32(?,0000014E), ref: 00BF9158

Strings

0, xrefs: 00BF90C2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: baeb36d49ad997e7d2076e83149db14899033eecf2f90730119622b6a17e90cb
Instruction ID: d3d01397e4d379b38edfa5a15d747ed1549f84250c56d9444ce41af8e9369ea0
Opcode Fuzzy Hash: baeb36d49ad997e7d2076e83149db14899033eecf2f90730119622b6a17e90cb
Instruction Fuzzy Hash: FAE14E7490021DBADF209F54CC84AFE7BF9EF05710F1081A9FA15AB291DB709A89DF61

Function 00BF4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF4C51
GetDesktopWindow.USER32 ref: 00BF4C66
GetWindowRect.USER32(00000000), ref: 00BF4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00BF4CCF
DestroyWindow.USER32(?), ref: 00BF4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BF4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BF4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BF4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00BF4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BF4D90
IsWindowVisible.USER32(?), ref: 00BF4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BF4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BF4DDF
GetWindowRect.USER32(?,?), ref: 00BF4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00BF4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00BF4E37
CopyRect.USER32(?,?), ref: 00BF4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00BF4EB9

Strings

(, xrefs: 00BF4E2A
tooltips_class32, xrefs: 00BF4D1D
0, xrefs: 00BF4BFC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b5f8b15eb41fd179149e8ee1b173b4839613a0d079720bf4cef7c8d1cf4bd699
Instruction ID: f4d4e287f982c9a4efea9ec387467eb8373139bdfcee2f8ea3471cbc59164f27
Opcode Fuzzy Hash: b5f8b15eb41fd179149e8ee1b173b4839613a0d079720bf4cef7c8d1cf4bd699
Instruction Fuzzy Hash: 37B13A71604341AFDB04DF64C885A6BBBE4FF88710F008969F6999B2A1DB71EC09CB51

Function 00BD46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BD46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BD470E
_wcscpy.LIBCMT ref: 00BD473C
_wcscmp.LIBCMT ref: 00BD4747
_wcscat.LIBCMT ref: 00BD475D
_wcsstr.LIBCMT ref: 00BD4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BD4784
_wcscat.LIBCMT ref: 00BD47CD
_wcscat.LIBCMT ref: 00BD47D4
_wcsncpy.LIBCMT ref: 00BD47FF

Strings

04090000, xrefs: 00BD47BA
StringFileInfo\, xrefs: 00BD4757
%u.%u.%u.%u, xrefs: 00BD4862
\VarFileInfo\Translation, xrefs: 00BD477C
DefaultLangCodepage, xrefs: 00BD47E7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4d339bf44873374e102d21c42839c31f6b94ccfe361213addb4319c7160ede8d
Instruction ID: 92a8fc3aed0a339c9e915c9181e811898c19cb524bd9b91609777e88eb1e04f5
Opcode Fuzzy Hash: 4d339bf44873374e102d21c42839c31f6b94ccfe361213addb4319c7160ede8d
Instruction Fuzzy Hash: 2A41D372A00215BBDF10B7649C82EBFB7ECDF41750F1001F6F905A6292EB759A0196A5

Function 00B727D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B728BC
GetSystemMetrics.USER32(00000007), ref: 00B728C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B728EF
GetSystemMetrics.USER32(00000008), ref: 00B728F7
GetSystemMetrics.USER32(00000004), ref: 00B7291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B72939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B72949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B7297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B72990
GetClientRect.USER32(00000000,000000FF), ref: 00B729AE
GetStockObject.GDI32(00000011), ref: 00B729CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B729D5

Part of subcall function 00B72344: GetCursorPos.USER32(?), ref: 00B72357
Part of subcall function 00B72344: ScreenToClient.USER32(00C367B0,?), ref: 00B72374
Part of subcall function 00B72344: GetAsyncKeyState.USER32(00000001), ref: 00B72399
Part of subcall function 00B72344: GetAsyncKeyState.USER32(00000002), ref: 00B723A7

SetTimer.USER32(00000000,00000000,00000028,00B71256), ref: 00B729FC

Strings

AutoIt v3 GUI, xrefs: 00B72974

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7aff862bf7dd315fde90d9578d5302ac150c4db2ebca43e3124795543f620efe
Instruction ID: e50552a88fd871cea855d7914f757f9abada634f33c66406914d3458c57497a3
Opcode Fuzzy Hash: 7aff862bf7dd315fde90d9578d5302ac150c4db2ebca43e3124795543f620efe
Instruction Fuzzy Hash: 89B13C71A0020AAFDF14DFA8DC85BAE7BF4FF08714F108169FA29A7290DB749950CB55

Function 00BF4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BF41B6

Strings

FINDITEM, xrefs: 00BF4329
SELECTINVERT, xrefs: 00BF4286
ISSELECTED, xrefs: 00BF41C1
GETITEMCOUNT, xrefs: 00BF4128
VIEWCHANGE, xrefs: 00BF4375
GETSELECTED, xrefs: 00BF42E4
SELECTALL, xrefs: 00BF421D
GETTEXT, xrefs: 00BF415F
GETSELECTEDCOUNT, xrefs: 00BF4199
SELECT, xrefs: 00BF4250
GETSUBITEMCOUNT, xrefs: 00BF4141
SELECTCLEAR, xrefs: 00BF4235
DESELECT, xrefs: 00BF42A4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 3edcc98a54e520c6fa187f2995b6348a0aadde79cf3bcf4d3499820122385060
Instruction ID: 9218419848539b316d10b7a55c690d8167f7a9d76939d10555c2946cd4ebab66
Opcode Fuzzy Hash: 3edcc98a54e520c6fa187f2995b6348a0aadde79cf3bcf4d3499820122385060
Instruction Fuzzy Hash: 1BA18E302142159FCB14EF24C981A7AB7E5EF84314F1489BCB9AA9B792DB30ED09CB41

Function 00BE52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00BE5309
LoadCursorW.USER32(00000000,00007F8A), ref: 00BE5314
LoadCursorW.USER32(00000000,00007F00), ref: 00BE531F
LoadCursorW.USER32(00000000,00007F03), ref: 00BE532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00BE5335
LoadCursorW.USER32(00000000,00007F01), ref: 00BE5340
LoadCursorW.USER32(00000000,00007F81), ref: 00BE534B
LoadCursorW.USER32(00000000,00007F88), ref: 00BE5356
LoadCursorW.USER32(00000000,00007F80), ref: 00BE5361
LoadCursorW.USER32(00000000,00007F86), ref: 00BE536C
LoadCursorW.USER32(00000000,00007F83), ref: 00BE5377
LoadCursorW.USER32(00000000,00007F85), ref: 00BE5382
LoadCursorW.USER32(00000000,00007F82), ref: 00BE538D
LoadCursorW.USER32(00000000,00007F84), ref: 00BE5398
LoadCursorW.USER32(00000000,00007F04), ref: 00BE53A3
LoadCursorW.USER32(00000000,00007F02), ref: 00BE53AE
GetCursorInfo.USER32(?), ref: 00BE53BE
GetLastError.KERNEL32(00000001,00000000), ref: 00BE53E9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ffd4eca4929e653a8852915d702f54ce984aaec2927a11f6889294846ba6363f
Instruction ID: 4f1c753093393ec8023130637afa392cb2f5d6b6fa8fd7125c4de7eb9882f749
Opcode Fuzzy Hash: ffd4eca4929e653a8852915d702f54ce984aaec2927a11f6889294846ba6363f
Instruction Fuzzy Hash: B1417170E043196ADB209FBA8C49D6EFFF8EF51B10B10453FE509E7290DAB8A500CE61

Function 00BCAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BCAAA5
__swprintf.LIBCMT ref: 00BCAB46
_wcscmp.LIBCMT ref: 00BCAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BCABAE
_wcscmp.LIBCMT ref: 00BCABEA
GetClassNameW.USER32(?,?,00000400), ref: 00BCAC21
GetDlgCtrlID.USER32(?), ref: 00BCAC73
GetWindowRect.USER32(?,?), ref: 00BCACA9
GetParent.USER32(?), ref: 00BCACC7
ScreenToClient.USER32(00000000), ref: 00BCACCE
GetClassNameW.USER32(?,?,00000100), ref: 00BCAD48
_wcscmp.LIBCMT ref: 00BCAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00BCAD82
_wcscmp.LIBCMT ref: 00BCAD96

Part of subcall function 00B9386C: _iswctype.LIBCMT ref: 00B93874

Strings

%s%u, xrefs: 00BCAB40

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 0d0850e6a0c0a77262e5cf9fed71bb82b3054dd61d22c97011ebef25b12c4ec4
Instruction ID: e0b10ca3a659515da5ab2964df0da73c1923ced62964dbdd623aac422a48dcce
Opcode Fuzzy Hash: 0d0850e6a0c0a77262e5cf9fed71bb82b3054dd61d22c97011ebef25b12c4ec4
Instruction Fuzzy Hash: 93A1907160460AABDB14DF64C884FAAF7E8FF04319F10466DF99AD3150DB30E955CBA2

Function 00BCB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00BCB3DB
_wcscmp.LIBCMT ref: 00BCB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00BCB414
CharUpperBuffW.USER32(?,00000000), ref: 00BCB431
_wcscmp.LIBCMT ref: 00BCB44F
_wcsstr.LIBCMT ref: 00BCB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00BCB498
_wcscmp.LIBCMT ref: 00BCB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00BCB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00BCB518
_wcscmp.LIBCMT ref: 00BCB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00BCB550
GetWindowRect.USER32(00000004,?), ref: 00BCB5B9

Strings

@, xrefs: 00BCB3BC
ThumbnailClass, xrefs: 00BCB4A3, 00BCB523

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: e0ee3ca0af4ee1c82b3faa136d9294639201770420d722bbc250ca53643d8239
Instruction ID: ef286b7d762f0ce28a12c5c7fc6fb88d294451933d13cf81d8bbc1c081e11435
Opcode Fuzzy Hash: e0ee3ca0af4ee1c82b3faa136d9294639201770420d722bbc250ca53643d8239
Instruction Fuzzy Hash: 68819C720082069BDB15DF10C886FBEBBE8EF54714F0485ADFD899A1A2DB34DD49CB61

Function 00BCB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00BCB23F

Strings

[CLASS:, xrefs: 00BCB28F
CLASSNAME=, xrefs: 00BCB27C
[ALL, xrefs: 00BCB2E5
LAST, xrefs: 00BCB204
[HANDLE:, xrefs: 00BCB24B
[LAST, xrefs: 00BCB2EC
REGEXP=, xrefs: 00BCB254
ACTIVE, xrefs: 00BCB21A
ALL, xrefs: 00BCB2D3
[REGEXPTITLE:, xrefs: 00BCB267
[ACTIVE, xrefs: 00BCB22C
HANDLE=, xrefs: 00BCB238

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 81e0296296102debde0a78853bf1b10834340f844de5f4478053a8637087f0a3
Instruction ID: 90d03bf81fbfc6eece13e6893bf9aa571f92b89a819149798399d47e402670eb
Opcode Fuzzy Hash: 81e0296296102debde0a78853bf1b10834340f844de5f4478053a8637087f0a3
Instruction Fuzzy Hash: 9C31CF31A88215A6DF14FA60DD83FEE7BE8EF20B50F6040B8B855754E2EF616F04C551

Function 00BCC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00BCC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BCC4E6
SetWindowTextW.USER32(?,?), ref: 00BCC4FD
GetDlgItem.USER32(?,000003EA), ref: 00BCC512
SetWindowTextW.USER32(00000000,?), ref: 00BCC518
GetDlgItem.USER32(?,000003E9), ref: 00BCC528
SetWindowTextW.USER32(00000000,?), ref: 00BCC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BCC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BCC569
GetWindowRect.USER32(?,?), ref: 00BCC572
SetWindowTextW.USER32(?,?), ref: 00BCC5DD
GetDesktopWindow.USER32 ref: 00BCC5E3
GetWindowRect.USER32(00000000), ref: 00BCC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00BCC636
GetClientRect.USER32(?,?), ref: 00BCC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00BCC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BCC693

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: e126a8666ec194ebc3ded4a01ed99b52ce3e2ba058a5f9f06050829c6830bdad
Instruction ID: 27e317a62043d70b5e65011ded7de30f10d4fed8e2e3f4a3118003f8cab07848
Opcode Fuzzy Hash: e126a8666ec194ebc3ded4a01ed99b52ce3e2ba058a5f9f06050829c6830bdad
Instruction Fuzzy Hash: F151297190070AAFDB209FA8DD85F6EBBF5EF14705F00456CE686A35A0CB74A944CB50

Function 00BFA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BFA4C8
DestroyWindow.USER32(?,?), ref: 00BFA542

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BFA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BFA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BFA5F1
DestroyWindow.USER32(00000000), ref: 00BFA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B70000,00000000), ref: 00BFA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BFA663
GetDesktopWindow.USER32 ref: 00BFA67C
GetWindowRect.USER32(00000000), ref: 00BFA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BFA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BFA6B3

Part of subcall function 00B725DB: GetWindowLongW.USER32(?,000000EB), ref: 00B725EC

Strings

tooltips_class32, xrefs: 00BFA5B5, 00BFA643
0, xrefs: 00BFA4DE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 83a7b5d6f0f5ff3e5f21a21a8598dd0ca13378413f97937744cf1c474ae7aa51
Instruction ID: ed3ea9be70bbbd80c1739d2eea3e21c26f99925b3d57c6962cea0bf93d527755
Opcode Fuzzy Hash: 83a7b5d6f0f5ff3e5f21a21a8598dd0ca13378413f97937744cf1c474ae7aa51
Instruction Fuzzy Hash: 15717AB1150209BFD724CF28CC45F7A7BE5EB88704F08456DFA99872A1DB70E905CB12

Function 00BFC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

DragQueryPoint.SHELL32(?,?), ref: 00BFC917

Part of subcall function 00BFADF1: ClientToScreen.USER32(?,?), ref: 00BFAE1A
Part of subcall function 00BFADF1: GetWindowRect.USER32(?,?), ref: 00BFAE90
Part of subcall function 00BFADF1: PtInRect.USER32(?,?,00BFC304), ref: 00BFAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00BFC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BFC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BFC9AE
_wcscat.LIBCMT ref: 00BFC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BFC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00BFCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00BFCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00BFCA47
DragFinish.SHELL32(?), ref: 00BFCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BFCB41

Strings

@GUI_DRAGID, xrefs: 00BFCAB9
@GUI_DROPID, xrefs: 00BFCA6E
@GUI_DRAGFILE, xrefs: 00BFCAF0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: ab6cc3b5fd715de43d288d4bd94806efb512e98a2ad585abfaef10ba423bf82c
Instruction ID: a9d78966d570e476a3851f5ee594c9475d50653a7cff4032f30564ce4dc950be
Opcode Fuzzy Hash: ab6cc3b5fd715de43d288d4bd94806efb512e98a2ad585abfaef10ba423bf82c
Instruction Fuzzy Hash: 78617C71508305AFC711EF60DC85DAFBBE8EF88710F00496EF6A5972A1DB709A49CB52

Function 00BF4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BF46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BF46F6

Strings

COLLAPSE, xrefs: 00BF473C
GETITEMCOUNT, xrefs: 00BF47D8
UNCHECK, xrefs: 00BF48D2
CHECK, xrefs: 00BF4716
SELECT, xrefs: 00BF48A7
GETTOTALCOUNT, xrefs: 00BF46DD
ISCHECKED, xrefs: 00BF4879
EXPAND, xrefs: 00BF47A8
GETSELECTED, xrefs: 00BF4806
EXISTS, xrefs: 00BF475F
GETTEXT, xrefs: 00BF4849

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8c2672410d5429c47733bc31297f8d4ee90a8a17bc831c474975e97cf99a20d5
Instruction ID: 1d700b184e85ac136408a26b92b80ab70d1f7678686461f43081460601348637
Opcode Fuzzy Hash: 8c2672410d5429c47733bc31297f8d4ee90a8a17bc831c474975e97cf99a20d5
Instruction Fuzzy Hash: 46916C742043059FCB14EF14C491A7AB7E1AF84314F0488ECF9AA5B7A2DB30ED4ACB41

Function 00BFBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BFBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BF9431), ref: 00BFBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BFBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BFBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BFBC7D
FreeLibrary.KERNEL32(?), ref: 00BFBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BFBC99
DestroyIcon.USER32(?,?,?,?,?,00BF9431), ref: 00BFBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BFBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BFBCD1

Part of subcall function 00B9313D: __wcsicmp_l.LIBCMT ref: 00B931C6

Strings

.dll, xrefs: 00BFBB27
.exe, xrefs: 00BFBB04
.icl, xrefs: 00BFBAE4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3a703d34b4253865a498d558774f1587a7b60026132579aef0a73921f88d74a3
Instruction ID: 4f4e63a36f4c485030e68429d1cdc482c9c966fc172c35f3294657e464934694
Opcode Fuzzy Hash: 3a703d34b4253865a498d558774f1587a7b60026132579aef0a73921f88d74a3
Instruction Fuzzy Hash: E9619071900619BAEB14DF64CC85FBE7BE8EF08710F1041A9FA15D71D1DB74AA94CBA0

Function 00BDA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

CharLowerBuffW.USER32(?,?), ref: 00BDA636
GetDriveTypeW.KERNEL32 ref: 00BDA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BDA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BDA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BDA730

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

Strings

closed, xrefs: 00BDA64A, 00BDA653
type cdaudio alias cd wait, xrefs: 00BDA6AE
set cd door , xrefs: 00BDA6D1
open , xrefs: 00BDA692
open, xrefs: 00BDA65D
wait, xrefs: 00BDA6ED
close cd wait, xrefs: 00BDA71B
close, xrefs: 00BDA63C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e79e1b7dfcf115ca473e9c77e09674ce34031ea73984f270f61e735f9098835e
Instruction ID: a2f43418e0220151296090eec610d59496b0845f560baaac78baf1b66bc3b5f4
Opcode Fuzzy Hash: e79e1b7dfcf115ca473e9c77e09674ce34031ea73984f270f61e735f9098835e
Instruction Fuzzy Hash: A3513E711043059FC710EF24D98196AB7F8FF98718F1489ADF8AA57261DB31EE0ACB52

Function 00BDA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BDA47A
__swprintf.LIBCMT ref: 00BDA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00BDA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BDA4FE
_memset.LIBCMT ref: 00BDA51D
_wcsncpy.LIBCMT ref: 00BDA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BDA58E
CloseHandle.KERNEL32(00000000), ref: 00BDA599
RemoveDirectoryW.KERNEL32(?), ref: 00BDA5A2
CloseHandle.KERNEL32(00000000), ref: 00BDA5AC

Strings

\??\%s, xrefs: 00BDA496
\, xrefs: 00BDA4B2
:, xrefs: 00BDA4BD

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 9a57765d8943a8755b498b02d83ee82942c32e5b7f5d493c960991e96e83d007
Instruction ID: 33484c21e6cb36c67488531cd4363dfad25b51da4a9e66e6eb679b853403c51a
Opcode Fuzzy Hash: 9a57765d8943a8755b498b02d83ee82942c32e5b7f5d493c960991e96e83d007
Instruction Fuzzy Hash: B0316DB650011AABDB219FA0DC89FBB77BCEF88705F1041B6F909D7260EB7097458B25

Function 00BDDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00BDDC7B
_wcscat.LIBCMT ref: 00BDDC93
_wcscat.LIBCMT ref: 00BDDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BDDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00BDDCCE
GetFileAttributesW.KERNEL32(?), ref: 00BDDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00BDDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00BDDD12

Strings

*.*, xrefs: 00BDDD51

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 93740f7831fd01d3c1d8cbf8421f45a0e1f91b2d744f4ab8ee2f6e1bfcdeb97a
Instruction ID: 332c02db11288267b855ff2eaf62ea8a7ee1379e18ff287c9360a5dcf61f188a
Opcode Fuzzy Hash: 93740f7831fd01d3c1d8cbf8421f45a0e1f91b2d744f4ab8ee2f6e1bfcdeb97a
Instruction Fuzzy Hash: F7816D715042419FCB24EF24C8859AAF7E8EB88314F1988ABF8C9C7350F631D944CB52

Function 00BFC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BFC4EC
GetFocus.USER32 ref: 00BFC4FC
GetDlgCtrlID.USER32(00000000), ref: 00BFC507
_memset.LIBCMT ref: 00BFC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BFC65D
GetMenuItemCount.USER32(?), ref: 00BFC67D
GetMenuItemID.USER32(?,00000000), ref: 00BFC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BFC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BFC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BFC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BFC779

Strings

0, xrefs: 00BFC62A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 643df4779a58c2c19cdf10f644e2d5b6433160fb96c61f98a6ed2acc4cd90790
Instruction ID: 3589864233041e04e0a098ab34ed935d7802ca09a1278a83d8cdc0b69a294a10
Opcode Fuzzy Hash: 643df4779a58c2c19cdf10f644e2d5b6433160fb96c61f98a6ed2acc4cd90790
Instruction Fuzzy Hash: C5817D70508349AFDB10DF24CA84A7ABBE4FF98314F1049ADFA9597291DB30DD49CB92

Function 00BC83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC8766
Part of subcall function 00BC874A: GetLastError.KERNEL32(?,00BC822A,?,?,?), ref: 00BC8770
Part of subcall function 00BC874A: GetProcessHeap.KERNEL32(00000008,?,?,00BC822A,?,?,?), ref: 00BC877F
Part of subcall function 00BC874A: HeapAlloc.KERNEL32(00000000,?,00BC822A,?,?,?), ref: 00BC8786
Part of subcall function 00BC874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC879D

Part of subcall function 00BC87E7: GetProcessHeap.KERNEL32(00000008,00BC8240,00000000,00000000,?,00BC8240,?), ref: 00BC87F3
Part of subcall function 00BC87E7: HeapAlloc.KERNEL32(00000000,?,00BC8240,?), ref: 00BC87FA
Part of subcall function 00BC87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BC8240,?), ref: 00BC880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BC8458
_memset.LIBCMT ref: 00BC846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BC848C
GetLengthSid.ADVAPI32(?), ref: 00BC849D
GetAce.ADVAPI32(?,00000000,?), ref: 00BC84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BC84F6
GetLengthSid.ADVAPI32(?), ref: 00BC8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BC8522
HeapAlloc.KERNEL32(00000000), ref: 00BC8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BC854A
CopySid.ADVAPI32(00000000), ref: 00BC8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BC8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BC85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BC85BC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 69413202d0a261de2467ef4825b57637188df6aeec95e509b723df67c12a8c24
Instruction ID: 8d11968a1e718ccb68b2c34c74245d6b3daeab44c3e2a1b5cf0910fa398c8e08
Opcode Fuzzy Hash: 69413202d0a261de2467ef4825b57637188df6aeec95e509b723df67c12a8c24
Instruction Fuzzy Hash: 8961187190021AABDF149FA4DC85EBEBBB9FF08300F1481A9E915A7291DF719A15CF60

Function 00BE762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00BE76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00BE76AE
CreateCompatibleDC.GDI32(?), ref: 00BE76BA
SelectObject.GDI32(00000000,?), ref: 00BE76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00BE771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00BE7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00BE777B
SelectObject.GDI32(00000006,?), ref: 00BE7783
DeleteObject.GDI32(?), ref: 00BE778C
DeleteDC.GDI32(00000006), ref: 00BE7793
ReleaseDC.USER32(00000000,?), ref: 00BE779E

Strings

(, xrefs: 00BE7723

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: f85137a94d498c65de9c39123843217688b8860bf524091349373af008db1be2
Instruction ID: ff4ae60e8f54ec045b37370ab48cd22b67fd1511e9e8ea32a7288fcef840054d
Opcode Fuzzy Hash: f85137a94d498c65de9c39123843217688b8860bf524091349373af008db1be2
Instruction Fuzzy Hash: AB515875904249EFCB14CFA9CC84EAEBBF9EF48710F14846DF94AA7210DB31A940CB60

Function 00BDA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00BFFB78), ref: 00BDA0FC

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00BDA11E
__swprintf.LIBCMT ref: 00BDA177
__swprintf.LIBCMT ref: 00BDA190
_wprintf.LIBCMT ref: 00BDA246
_wprintf.LIBCMT ref: 00BDA264

Strings

Error: , xrefs: 00BDA20E
Line %d (File "%s"):, xrefs: 00BDA171, 00BDA18A
"%s" (%d) : ==> %s:, xrefs: 00BDA25F
^ ERROR, xrefs: 00BDA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 00BDA241

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: ad551cb1a07de4e52256ef7dc4c1cab51e2f081ad2851981ef68b59d1da149c5
Instruction ID: 222e6d17c2c98d44ca74adfea60751821ef3ab55f29c58fb143cb8f3e3df3155
Opcode Fuzzy Hash: ad551cb1a07de4e52256ef7dc4c1cab51e2f081ad2851981ef68b59d1da149c5
Instruction Fuzzy Hash: E8513A71940219BACF15EBA0CD86EEEB7B9EF05300F2081E5F519721A1EB316F58DB61

Function 00B76BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00B90B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B76C6C,?,00008000), ref: 00B90BB7

Part of subcall function 00B748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B748A1,?,?,00B737C0,?), ref: 00B748CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B76D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00B76E5A

Part of subcall function 00B759CD: _wcscpy.LIBCMT ref: 00B75A05

Part of subcall function 00B9387D: _iswctype.LIBCMT ref: 00B93885

Strings

Bad directive syntax error, xrefs: 00BAEBC6
EA06, xrefs: 00BAE87B
AU3!, xrefs: 00B76CC1
Unterminated string, xrefs: 00BAEC0D
Error opening the file, xrefs: 00BAE866, 00BAE8E1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00BAE84A
>>>AUTOIT SCRIPT<<<, xrefs: 00BAE8BF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 260cbe02587fe65f4d44dd88605db5934d7eed922d3cb835445479c271cf0945
Instruction ID: 1f16d9caf0e4802f837c4ba0e1b6860188e7d802a4573a14e0814ebd090c3f2c
Opcode Fuzzy Hash: 260cbe02587fe65f4d44dd88605db5934d7eed922d3cb835445479c271cf0945
Instruction Fuzzy Hash: 15029C3110C7419FC724EF24C881AAFBBE5EF85354F0489ADF4AA972A1DB30D949CB52

Function 00B745DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B745F9
GetMenuItemCount.USER32(00C36890), ref: 00BAD7CD
GetMenuItemCount.USER32(00C36890), ref: 00BAD87D
GetCursorPos.USER32(?), ref: 00BAD8C1
SetForegroundWindow.USER32(00000000), ref: 00BAD8CA
TrackPopupMenuEx.USER32(00C36890,00000000,?,00000000,00000000,00000000), ref: 00BAD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BAD8E9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: fcdd39febe1b555993f8a4fbb48066bac814dffaac47765389c02b263db88831
Instruction ID: 743f2fe19706e8a5c2f3c13ced5f58ae207cb2b0ad75982c0ffd830fc60ea3f3
Opcode Fuzzy Hash: fcdd39febe1b555993f8a4fbb48066bac814dffaac47765389c02b263db88831
Instruction Fuzzy Hash: 9471F870609205BEEB259F24DC89FAABFE4FF06364F104296F529671E1CBB19C50DB90

Function 00BF10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BF0038,?,?), ref: 00BF10BC

Strings

HKCR, xrefs: 00BF1164
HKEY_CLASSES_ROOT, xrefs: 00BF114F
HKCU, xrefs: 00BF11AC
HKCC, xrefs: 00BF118A
HKLM, xrefs: 00BF113A
HKEY_USERS, xrefs: 00BF11BD
HKEY_CURRENT_USER, xrefs: 00BF119B
HKU, xrefs: 00BF11CE
HKEY_LOCAL_MACHINE, xrefs: 00BF1125
HKEY_CURRENT_CONFIG, xrefs: 00BF1179

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 2aecbf8eb6f1329d17e65dbd38508f0e3fde59ebb5181b85cba25027a48d65ed
Instruction ID: 7b407813bd2f20de1ee3ce0be4bac71c5ef9a35dbed65c927922cf66e2567d47
Opcode Fuzzy Hash: 2aecbf8eb6f1329d17e65dbd38508f0e3fde59ebb5181b85cba25027a48d65ed
Instruction Fuzzy Hash: FC415C7015025EDBCF10EF98E891AFE37A4EF11300F1048A4FEA16B691DB30AE5ACB50

Function 00BD5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

Part of subcall function 00B77A84: _memmove.LIBCMT ref: 00B77B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BD55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BD55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BD55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BD560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BD561C

Strings

open , xrefs: 00BD5581
play PlayMe, xrefs: 00BD5617
play PlayMe wait, xrefs: 00BD5606
alias PlayMe, xrefs: 00BD55AB
status PlayMe mode, xrefs: 00BD55CD
close PlayMe, xrefs: 00BD55E3, 00BD5610

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f41ec184e13e10a343281c1a607c725a18a1c92c25de54503895352d51da6e94
Instruction ID: 9279f9b36a72c84e66a19530d96b3898284c1cc64b3a58751296f9c36fef0248
Opcode Fuzzy Hash: f41ec184e13e10a343281c1a607c725a18a1c92c25de54503895352d51da6e94
Instruction Fuzzy Hash: CB1198205901697AD730F661DC49DFFBBBCEF95B10F4044BAB415A20E1EE609D05C6A1

Function 00BD48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BD490E
gethostname.WSOCK32(?,00000100), ref: 00BD4928
gethostbyname.WSOCK32(?), ref: 00BD4935
_wcscpy.LIBCMT ref: 00BD495D
_memmove.LIBCMT ref: 00BD4970
inet_ntoa.WSOCK32(?), ref: 00BD497B
_strcat.LIBCMT ref: 00BD4989
_wcscpy.LIBCMT ref: 00BD49A0
WSACleanup.WSOCK32 ref: 00BD49AE
_wcscpy.LIBCMT ref: 00BD49BC

Strings

0.0.0.0, xrefs: 00BD4957

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: afb7df9b4091fc9af33aa319d93aea9080ba92a2db499acb41367021fddef02b
Instruction ID: 278ce60460ca0440f45303f83ba102d4d21428a7f7cdbd5db26fc238c6acafd9
Opcode Fuzzy Hash: afb7df9b4091fc9af33aa319d93aea9080ba92a2db499acb41367021fddef02b
Instruction Fuzzy Hash: D111C031904116AFCB20AB65AC4AEEBB7ECDF00720F1401F6F408971A1FFB59A819661

Function 00BD5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BD521C

Part of subcall function 00B90719: timeGetTime.WINMM(?,76C1B400,00B80FF9), ref: 00B9071D

Sleep.KERNEL32(0000000A), ref: 00BD5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00BD526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BD528E
SetActiveWindow.USER32 ref: 00BD52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BD52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00BD52DA
Sleep.KERNEL32(000000FA), ref: 00BD52E5
IsWindow.USER32 ref: 00BD52F1
EndDialog.USER32(00000000), ref: 00BD5302

Strings

BUTTON, xrefs: 00BD5280

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be9b74d6c9ce9fc020c873fe61b81d2e58c91e9e355b2a139b584a2804bd9bb9
Instruction ID: d86e06212db240056618e2656acccd2d5ade3ae00878071130a96ba09c6acbaa
Opcode Fuzzy Hash: be9b74d6c9ce9fc020c873fe61b81d2e58c91e9e355b2a139b584a2804bd9bb9
Instruction Fuzzy Hash: 932180B0114606BFEB205F70EC88B3ABBA9EB54356B0004B6F50293271EE619D04D765

Function 00BDD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

CoInitialize.OLE32(00000000), ref: 00BDD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BDD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00BDD8FC
CoCreateInstance.OLE32(00C02D7C,00000000,00000001,00C2A89C,?), ref: 00BDD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BDD9B7
CoTaskMemFree.OLE32(?,?), ref: 00BDDA0F
_memset.LIBCMT ref: 00BDDA4C
SHBrowseForFolderW.SHELL32(?), ref: 00BDDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BDDAAB
CoTaskMemFree.OLE32(00000000), ref: 00BDDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00BDDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00BDDAEB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: fad3e87ad6d03d9c3cf8bedba3bd87f5773fbcc3725e8827f92e6a3926d9ba24
Instruction ID: 05ad1a2d3639f909fa745668649756fc712719d9db5a67b3006386ad5a64ff5a
Opcode Fuzzy Hash: fad3e87ad6d03d9c3cf8bedba3bd87f5773fbcc3725e8827f92e6a3926d9ba24
Instruction Fuzzy Hash: 71B1FA75A00109AFDB04DFA4C888EAEBBF9EF48314B0484A9F559EB361DB31ED45CB50

Function 00BD052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00BD05A7
SetKeyboardState.USER32(?), ref: 00BD0612
GetAsyncKeyState.USER32(000000A0), ref: 00BD0632
GetKeyState.USER32(000000A0), ref: 00BD0649
GetAsyncKeyState.USER32(000000A1), ref: 00BD0678
GetKeyState.USER32(000000A1), ref: 00BD0689
GetAsyncKeyState.USER32(00000011), ref: 00BD06B5
GetKeyState.USER32(00000011), ref: 00BD06C3
GetAsyncKeyState.USER32(00000012), ref: 00BD06EC
GetKeyState.USER32(00000012), ref: 00BD06FA
GetAsyncKeyState.USER32(0000005B), ref: 00BD0723
GetKeyState.USER32(0000005B), ref: 00BD0731

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5d89b13441b582ec708974c1c9db89ac0f214fee384a273f42eae4f3a166b2df
Instruction ID: 35374c4144ae04eb9f6c5f60dd2f2d0ad14378c4bb91b544fb1bc0dd34e58adc
Opcode Fuzzy Hash: 5d89b13441b582ec708974c1c9db89ac0f214fee384a273f42eae4f3a166b2df
Instruction Fuzzy Hash: 4551C760A1478429FB34EBA494557EAFFF4DF11380F0845DB99C25B2C2FA64DA4CCB51

Function 00BCC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00BCC746
GetWindowRect.USER32(00000000,?), ref: 00BCC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00BCC7B6
GetDlgItem.USER32(?,00000002), ref: 00BCC7C1
GetWindowRect.USER32(00000000,?), ref: 00BCC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00BCC827
GetDlgItem.USER32(?,000003E9), ref: 00BCC835
GetWindowRect.USER32(00000000,?), ref: 00BCC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00BCC889
GetDlgItem.USER32(?,000003EA), ref: 00BCC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BCC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00BCC8C1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 543228a7324a2aa1c1b01d5e068e7537b7059196020e09ad9225399f8bf8079d
Instruction ID: efcf648e38b78214198de0fedc6e320d1a7a66cb71c1ab4902327c7dd920577f
Opcode Fuzzy Hash: 543228a7324a2aa1c1b01d5e068e7537b7059196020e09ad9225399f8bf8079d
Instruction Fuzzy Hash: F1513D71B00205ABDB18CF68DD99ABEBBB6EF98710F14816DF519D7290DB70AD00CB50

Function 00B7201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B71B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B72036,?,00000000,?,?,?,?,00B716CB,00000000,?), ref: 00B71B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B720D3
KillTimer.USER32(-00000001,?,?,?,?,00B716CB,00000000,?,?,00B71AE2,?,?), ref: 00B7216E
DestroyAcceleratorTable.USER32(00000000), ref: 00BABEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B716CB,00000000,?,?,00B71AE2,?,?), ref: 00BABF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B716CB,00000000,?,?,00B71AE2,?,?), ref: 00BABF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B716CB,00000000,?,?,00B71AE2,?,?), ref: 00BABF5A
DeleteObject.GDI32(00000000), ref: 00BABF6C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5da344eb55245b3da1d600fd556c6fc68c009b4fbe861bed0ee51c47a42499e4
Instruction ID: 6b3cf7ef2294ca2a61f6ff394372249c89c88e29b8806933b9bf8be8f2a23168
Opcode Fuzzy Hash: 5da344eb55245b3da1d600fd556c6fc68c009b4fbe861bed0ee51c47a42499e4
Instruction Fuzzy Hash: 9D61AA30114601EFDB259F18CD88B39B7F1FF45312F54C4A9E16697AA1CB32A890DFA1

Function 00B721A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00B725DB: GetWindowLongW.USER32(?,000000EB), ref: 00B725EC

GetSysColor.USER32(0000000F), ref: 00B721D3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 804bcc3c6d2ba44fe4b714ed04abaabf954e18f2652ce5f562694a7ae4fb6659
Instruction ID: 8c4f1300fa0d96dc1954427151d57d858d7526ba953462aa5880fc028da00242
Opcode Fuzzy Hash: 804bcc3c6d2ba44fe4b714ed04abaabf954e18f2652ce5f562694a7ae4fb6659
Instruction Fuzzy Hash: B3416031104140AADB255F28DC88BB93BE5EF16321F2582A5FD799B1E6CB318E42DB61

Function 00BDAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00BFF910), ref: 00BDAB76
GetDriveTypeW.KERNEL32(00000061,00C2A620,00000061), ref: 00BDAC40
_wcscpy.LIBCMT ref: 00BDAC6A

Strings

removable, xrefs: 00BDABA8
network, xrefs: 00BDABD4
all, xrefs: 00BDAB7C
fixed, xrefs: 00BDABBE
ramdisk, xrefs: 00BDABEA
cdrom, xrefs: 00BDAB92
unknown, xrefs: 00BDAC01

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: d77bb41c6ebd4c7e3e26608481da20af843d404d08ac955df7c81f3c89c3ed1b
Instruction ID: e9149b27e068c2210889c53917e7421abadb1bb860c3433637738ceb0ded912a
Opcode Fuzzy Hash: d77bb41c6ebd4c7e3e26608481da20af843d404d08ac955df7c81f3c89c3ed1b
Instruction Fuzzy Hash: 00517F301183019FCB10EF14D891AAAF7E5EF85314F5488AEF496572A2EB31D94ACB53

Function 00B79997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00B799C2
__swprintf.LIBCMT ref: 00B79A0C
__i64tow.LIBCMT ref: 00BAFA0F

Strings

True, xrefs: 00BAF9D0
%.15g, xrefs: 00B79A06
0x%p, xrefs: 00BAF9F1
False, xrefs: 00BAF9D7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c9f8cd099e992ddebdeec7a30e0d000a2f1c9a0bc12c8eb28fd1e1ea4b262cea
Instruction ID: d203f5cd0719ad87a95433b5a14e3e565cd99d0d62b7d2a98477fc629a4c949f
Opcode Fuzzy Hash: c9f8cd099e992ddebdeec7a30e0d000a2f1c9a0bc12c8eb28fd1e1ea4b262cea
Instruction Fuzzy Hash: 39419471508606AFEF24AB74D881F7673E4EB45300F2088FEE65DD6291EA71D941D711

Function 00BF73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF73D9
CreateMenu.USER32 ref: 00BF73F4
SetMenu.USER32(?,00000000), ref: 00BF7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF7490
IsMenu.USER32(?), ref: 00BF74A6
CreatePopupMenu.USER32 ref: 00BF74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF74DD
DrawMenuBar.USER32 ref: 00BF74E5

Strings

0, xrefs: 00BF73CF
F, xrefs: 00BF74D1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5e926a8126a63cb72c3b4e801223eebd70dfa2f042b6acdc787cfda7589c70a6
Instruction ID: 89ea503d1a8ea78c8b16289acd93a73132242643b86dc2e4ec278eb959576b21
Opcode Fuzzy Hash: 5e926a8126a63cb72c3b4e801223eebd70dfa2f042b6acdc787cfda7589c70a6
Instruction Fuzzy Hash: 08411675A01209EFDB20DF64D884BEABBF9FF49350F1440A9EA5597360DB31A914CBA0

Function 00BF772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BF77CD
CreateCompatibleDC.GDI32(00000000), ref: 00BF77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BF77E7
SelectObject.GDI32(00000000,00000000), ref: 00BF77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BF77FA
DeleteDC.GDI32(00000000), ref: 00BF7803
GetWindowLongW.USER32(?,000000EC), ref: 00BF780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BF7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BF782D

Strings

static, xrefs: 00BF7765

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: df8ff4dbf715bbb184433a9a10df7232c97fffe9518a2a3f38c8dd533a1ca3a2
Instruction ID: 9cb9490a8c21f5faea4cf5119a808f325d327090fbdb4b74df26824328e2c19a
Opcode Fuzzy Hash: df8ff4dbf715bbb184433a9a10df7232c97fffe9518a2a3f38c8dd533a1ca3a2
Instruction Fuzzy Hash: 64316C3210511ABBDF119F75DC09FFA3BA9EF09360F1142A4FA15A71A0CB31D825DBA4

Function 00B97040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9707B

Part of subcall function 00B98D68: __getptd_noexit.LIBCMT ref: 00B98D68

__gmtime64_s.LIBCMT ref: 00B97114
__gmtime64_s.LIBCMT ref: 00B9714A
__gmtime64_s.LIBCMT ref: 00B97167
__allrem.LIBCMT ref: 00B971BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B971D9
__allrem.LIBCMT ref: 00B971F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B9720E
__allrem.LIBCMT ref: 00B97225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B97243
__invoke_watson.LIBCMT ref: 00B972B4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 5ef2adf280f7314d1bdf1c212c067dbb1e0630ee0f27a5d12874303c714279ce
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 6871F871A58716ABDF14DF79CC81B6AB3E8EF52724F1442BAF414E7281EB70DA408790

Function 00BD2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD2A31
GetMenuItemInfoW.USER32(00C36890,000000FF,00000000,00000030), ref: 00BD2A92
SetMenuItemInfoW.USER32(00C36890,00000004,00000000,00000030), ref: 00BD2AC8
Sleep.KERNEL32(000001F4), ref: 00BD2ADA
GetMenuItemCount.USER32(?), ref: 00BD2B1E
GetMenuItemID.USER32(?,00000000), ref: 00BD2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00BD2B64
GetMenuItemID.USER32(?,?), ref: 00BD2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BD2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD2C24

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 857bceed808882e6cc46a761ffcbc4689450a5acb9780d0619b4695b63ad15e4
Instruction ID: bed02041c0318b316bd6b79a2bb899bac274ddc5380cf11c5ab3d1b57340f577
Opcode Fuzzy Hash: 857bceed808882e6cc46a761ffcbc4689450a5acb9780d0619b4695b63ad15e4
Instruction Fuzzy Hash: BC618FB091428AAFDF11CF64D888EBEBBF8EB61304F14459AE84197351EB71AD05DB20

Function 00BF7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BF7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BF7217
GetWindowLongW.USER32(?,000000F0), ref: 00BF723B
_memset.LIBCMT ref: 00BF724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BF725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BF72D6

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: a574be9236914ba58df1d9c47630b202c50e03941c0cc8989acf55015b9ef73a
Instruction ID: 6baa917c93a0bcf04e0107f9e77b818ca06a7b8c83d767a3009a4aa2c0552c50
Opcode Fuzzy Hash: a574be9236914ba58df1d9c47630b202c50e03941c0cc8989acf55015b9ef73a
Instruction Fuzzy Hash: B9617C71940208AFDB10DFA4CC81EFE77F8EB09700F144199FA14A72A1CB70AA46DB60

Function 00BC710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BC7135
SafeArrayAllocData.OLEAUT32(?), ref: 00BC718E
VariantInit.OLEAUT32(?), ref: 00BC71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00BC71C0
VariantCopy.OLEAUT32(?,?), ref: 00BC7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00BC7227
VariantClear.OLEAUT32(?), ref: 00BC723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00BC7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BC7252
VariantClear.OLEAUT32(?), ref: 00BC7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BC726F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 400d8a41b61d9adfe3057a40e203c2f85e3d7ffe44102af32cc387d321bc0d2f
Instruction ID: 43a1f59317802e63bb07f71dfe9e2582f1ab465538b8c6c62e0484494a559f98
Opcode Fuzzy Hash: 400d8a41b61d9adfe3057a40e203c2f85e3d7ffe44102af32cc387d321bc0d2f
Instruction Fuzzy Hash: D641FC75A04219AFCF04DF64D848EAEBBF9EF48354F0480A9F955AB361DB30A945CF90

Function 00BE5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00BE5AA6
inet_addr.WSOCK32(?,?,?), ref: 00BE5AEB
gethostbyname.WSOCK32(?), ref: 00BE5AF7
IcmpCreateFile.IPHLPAPI ref: 00BE5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BE5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00BE5C00
WSACleanup.WSOCK32 ref: 00BE5C06

Strings

Ping, xrefs: 00BE5B29

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 276ba17bf22f9fa10c75cbec25217f19e9d7b420202b03db9acb728462934ec6
Instruction ID: bf1594d15d567892cf48f1271dc0ce911af7d9d58c8c0ec067905519e7bb0a12
Opcode Fuzzy Hash: 276ba17bf22f9fa10c75cbec25217f19e9d7b420202b03db9acb728462934ec6
Instruction Fuzzy Hash: 3E51AF316047019FDB20AF25CC85B2AB7E4EF48714F1489A9F55ADB2A1DB70ED40CB56

Function 00BDB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BDB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BDB7B1
GetLastError.KERNEL32 ref: 00BDB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00BDB828

Strings

INVALID, xrefs: 00BDB7FA
READY, xrefs: 00BDB801
UNKNOWN, xrefs: 00BDB7E0
NOTREADY, xrefs: 00BDB7E7
READONLY, xrefs: 00BDB7F3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6eb6fe85cabcc442d1d6bcb7b3fe1d92447b7a9ade3280f7c5979d2c5aadcda5
Instruction ID: 8f6e44fff6f0aa0a6bacfdb6fff48b201a4a2dbcb592f6d65230040612369f90
Opcode Fuzzy Hash: 6eb6fe85cabcc442d1d6bcb7b3fe1d92447b7a9ade3280f7c5979d2c5aadcda5
Instruction Fuzzy Hash: DC312B35A00209DFDB10EF64D885EBABBF8EF84710F1580AAE516A7391EB719D42CA51

Function 00BC9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BCB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00BC94F6
GetDlgCtrlID.USER32 ref: 00BC9501
GetParent.USER32 ref: 00BC951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC9520
GetDlgCtrlID.USER32(?), ref: 00BC9529
GetParent.USER32(?), ref: 00BC9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00BC9548

Strings

ComboBox, xrefs: 00BC947E
ListBox, xrefs: 00BC94B3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d9d51e872435699b6dd04c78e149e7367833e0cf5433ea6cfc112a693719b6a9
Instruction ID: 6052857dad196e0909094717641e73ae6201b17be90f4a3a278437ac607e3179
Opcode Fuzzy Hash: d9d51e872435699b6dd04c78e149e7367833e0cf5433ea6cfc112a693719b6a9
Instruction Fuzzy Hash: D321B070A00204BBDF05AB64CCC9EFEBBA4EF59300F1041A9F962972A2DF755919DA20

Function 00BC955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BCB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00BC95DF
GetDlgCtrlID.USER32 ref: 00BC95EA
GetParent.USER32 ref: 00BC9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00BC9609
GetDlgCtrlID.USER32(?), ref: 00BC9612
GetParent.USER32(?), ref: 00BC962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00BC9631

Strings

ComboBox, xrefs: 00BC9569
ListBox, xrefs: 00BC959E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 68f9bd5fad043500773b9132f305471161453077d6c060027c4ed0546aa1c5fb
Instruction ID: 3d39e8beb2484805c10086e8a5e8897f871efc7d67358ccb9e8a9fb041cc1646
Opcode Fuzzy Hash: 68f9bd5fad043500773b9132f305471161453077d6c060027c4ed0546aa1c5fb
Instruction Fuzzy Hash: F1218375A00204BBDF05AB60CCC5EFEBBB8EF58300F1041A9F961972E1DF759919DA20

Function 00BC9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00BC9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00BC9666
_wcscmp.LIBCMT ref: 00BC9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BC96F3

Strings

list, xrefs: 00BC96D5
largeicons, xrefs: 00BC9687
details, xrefs: 00BC96A1
smallicons, xrefs: 00BC96BB
SHELLDLL_DefView, xrefs: 00BC9672

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: bd1234a6cbc80fe2eedd1b91c7b826556fc02035f6c85e022110a16cdef262c5
Instruction ID: 83e25296c20e591e1812da50d1e9039571e7dff9007404f62873ad3f92fad060
Opcode Fuzzy Hash: bd1234a6cbc80fe2eedd1b91c7b826556fc02035f6c85e022110a16cdef262c5
Instruction Fuzzy Hash: 3611CA76248327BAFB012620EC4EEB677DCDF05760F2001BAF900E54E1FE6159519558

Function 00BE8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE8BEC
CoInitialize.OLE32(00000000), ref: 00BE8C19
CoUninitialize.OLE32 ref: 00BE8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00BE8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00BE8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C02C0C), ref: 00BE8E84
CoGetObject.OLE32(?,00000000,00C02C0C,?), ref: 00BE8EA7
SetErrorMode.KERNEL32(00000000), ref: 00BE8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BE8F3A
VariantClear.OLEAUT32(?), ref: 00BE8F4A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 97adbab6084f88834d1d6c4fe1c3b9ee3ea1528b654108230f4291e18daa036a
Instruction ID: adc7821d6757523aefd906f67c7d50271271ba27e0659eec0766481937dee3a8
Opcode Fuzzy Hash: 97adbab6084f88834d1d6c4fe1c3b9ee3ea1528b654108230f4291e18daa036a
Instruction Fuzzy Hash: 07C14471208745AFD700DF65C88492BB7E9FF88748F0089ADF58A9B261DB71ED05CB52

Function 00BD4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00BD419D
__swprintf.LIBCMT ref: 00BD41AA

Part of subcall function 00B938D8: __woutput_l.LIBCMT ref: 00B93931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00BD41D4
LoadResource.KERNEL32(?,00000000), ref: 00BD41E0
LockResource.KERNEL32(00000000), ref: 00BD41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00BD420D
LoadResource.KERNEL32(?,00000000), ref: 00BD421F
SizeofResource.KERNEL32(?,00000000), ref: 00BD422E
LockResource.KERNEL32(?), ref: 00BD423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00BD429B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: fd7e690876cf4609109d1d9f82df3e6c1c55b6d10a01d75d9216125c18cf54dd
Instruction ID: c54298373a89f74d4c6dddc85ee56ce98ee0d1e65202a7ccbd2454c00e4c8c51
Opcode Fuzzy Hash: fd7e690876cf4609109d1d9f82df3e6c1c55b6d10a01d75d9216125c18cf54dd
Instruction Fuzzy Hash: 65318EB560521AABDB159F61DC89ABFBBECEF04301F004566F915D3250EB30DA61CBB4

Function 00BD16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BD1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD1714
GetWindowThreadProcessId.USER32(00000000), ref: 00BD171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BD173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BD0778,?,00000001), ref: 00BD17CC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7890ffd0b5d9afd48e835d62f576c8eb0a89b72994b0a3feeea65cad86a84ff0
Instruction ID: b9522f8f815d23aee1ffb626fb8baf81afed165aac767d57cfadbf2d58e634d6
Opcode Fuzzy Hash: 7890ffd0b5d9afd48e835d62f576c8eb0a89b72994b0a3feeea65cad86a84ff0
Instruction Fuzzy Hash: 9C3180B5614204BBDB219F98DC88BB9B7EAFB59711F104556F804DB3B0EB749D80CB60

Function 00B7FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B7FC06
OleUninitialize.OLE32(?,00000000), ref: 00B7FCA5
UnregisterHotKey.USER32(?), ref: 00B7FDFC
DestroyWindow.USER32(?), ref: 00BB4A00
FreeLibrary.KERNEL32(?), ref: 00BB4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BB4A92

Strings

close all, xrefs: 00B7FC01

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2e9ddf30fd9759eb1aecdcd651e090fbcdff96d278df9e8955d90aef2703fc17
Instruction ID: d081e1c8e127002e6a6d4216349d38b1eb4f39996c9ba9928188c4a2e355650f
Opcode Fuzzy Hash: 2e9ddf30fd9759eb1aecdcd651e090fbcdff96d278df9e8955d90aef2703fc17
Instruction Fuzzy Hash: E0A118317012128FCB29EB14C595A79F7E5FF04740F1482EDE91AAB262DB70AD16CF58

Function 00BCA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00BCAA64), ref: 00BCA9A2

Strings

REGEXPCLASS, xrefs: 00BCA767
NAME, xrefs: 00BCA7D4
CLASSNN, xrefs: 00BCA744
CLASS, xrefs: 00BCA721
TEXT, xrefs: 00BCA8D9
INSTANCE, xrefs: 00BCA8B0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 9ed987bee35a61e7088f0b873849a8ea90e3f2c35b8fbe6af7ca5c936bfb8299
Instruction ID: 880c88c8bef79fb6438eb7fa316a80d2504a7c3038c0ea39b298a29129726e43
Opcode Fuzzy Hash: 9ed987bee35a61e7088f0b873849a8ea90e3f2c35b8fbe6af7ca5c936bfb8299
Instruction Fuzzy Hash: E8916470A0050AABDF18DF60C482FE9FBF4FF04308F5481A9E99AA7551DF706999CB91

Function 00B72E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B72EAE

Part of subcall function 00B71DB3: GetClientRect.USER32(?,?), ref: 00B71DDC
Part of subcall function 00B71DB3: GetWindowRect.USER32(?,?), ref: 00B71E1D
Part of subcall function 00B71DB3: ScreenToClient.USER32(?,?), ref: 00B71E45

GetDC.USER32 ref: 00BACF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BACF95
SelectObject.GDI32(00000000,00000000), ref: 00BACFA3
SelectObject.GDI32(00000000,00000000), ref: 00BACFB8
ReleaseDC.USER32(?,00000000), ref: 00BACFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BAD04B

Strings

U, xrefs: 00BACF20

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 39eaa66197db71b11a55c18ac5e64bcb9b7e65a1bbba754e7c5105a4667db8cc
Instruction ID: cec3118c74e5cd84b1528aa32e9fdb57153d8bfe52ea69d7080a7523483da52a
Opcode Fuzzy Hash: 39eaa66197db71b11a55c18ac5e64bcb9b7e65a1bbba754e7c5105a4667db8cc
Instruction Fuzzy Hash: DD71A330504205EFCF218F64C895ABA7BF6FF4A350F1482EAED569B2A5C7318C45DB61

Function 00BFC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

Part of subcall function 00B72344: GetCursorPos.USER32(?), ref: 00B72357
Part of subcall function 00B72344: ScreenToClient.USER32(00C367B0,?), ref: 00B72374
Part of subcall function 00B72344: GetAsyncKeyState.USER32(00000001), ref: 00B72399
Part of subcall function 00B72344: GetAsyncKeyState.USER32(00000002), ref: 00B723A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00BFC2E4
ImageList_EndDrag.COMCTL32 ref: 00BFC2EA
ReleaseCapture.USER32 ref: 00BFC2F0
SetWindowTextW.USER32(?,00000000), ref: 00BFC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BFC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00BFC48F

Strings

@GUI_DROPID, xrefs: 00BFC3E1
@GUI_DRAGFILE, xrefs: 00BFC424

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 78893e2ac8cae4d043487783996dadfd5999fe47d0af3b3ae549cacc3a26e370
Instruction ID: b1b4d325cf773c08664046345e5814dec063adabc305d0d21a1600d51d3c9eeb
Opcode Fuzzy Hash: 78893e2ac8cae4d043487783996dadfd5999fe47d0af3b3ae549cacc3a26e370
Instruction Fuzzy Hash: D6516D70604309AFDB14DF24C895F7A7BE5EF88310F10856DF6A58B2E1DB71A948CB52

Function 00BE8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BFF910), ref: 00BE903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BFF910), ref: 00BE9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BE91EB
SysFreeString.OLEAUT32(?), ref: 00BE9215

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 88904452ed0434f13d3197c129dacad2b9aa3ca5d7eda6bd07c328f6a4ef3d81
Instruction ID: f12db89fc57f8984f4ca3a67917799331e1725de205f9059e8d505664160db15
Opcode Fuzzy Hash: 88904452ed0434f13d3197c129dacad2b9aa3ca5d7eda6bd07c328f6a4ef3d81
Instruction Fuzzy Hash: 20F14C71A00209EFDF04DF95C888EAEB7B9FF49314F108499F915AB291DB31AE49CB50

Function 00BEF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BEF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BEFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BEFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BEFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00BEFD90
CloseHandle.KERNEL32(?), ref: 00BEFDBF
CloseHandle.KERNEL32(?), ref: 00BEFE36

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 9e6cfd141034ca3b74ac78cc77d2ed3deb6c2edcb2e9903faeb8d263dfec4cb5
Instruction ID: 74a39d2816f27abede26dc758752952641eb9502ee31f01cc521171ef61be67d
Opcode Fuzzy Hash: 9e6cfd141034ca3b74ac78cc77d2ed3deb6c2edcb2e9903faeb8d263dfec4cb5
Instruction Fuzzy Hash: 8FE191316042429FCB14EF25C891A7ABBE1EF84354F1485BDF8999B3A2DB31EC45CB52

Function 00BD4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BD38D3,?), ref: 00BD48C7

Part of subcall function 00BD48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BD38D3,?), ref: 00BD48E0

Part of subcall function 00BD4CD3: GetFileAttributesW.KERNEL32(?,00BD3947), ref: 00BD4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00BD4FE2
_wcscmp.LIBCMT ref: 00BD4FFC
MoveFileW.KERNEL32(?,?), ref: 00BD5017

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: a5491247d916692b643597d1c7725ac63e31a0bea9494f697f5075ef37dffde6
Instruction ID: 5587b095facdfb7ccbb95117ddba4862ff3a30e1f1e164cb864e6387ddd622a9
Opcode Fuzzy Hash: a5491247d916692b643597d1c7725ac63e31a0bea9494f697f5075ef37dffde6
Instruction Fuzzy Hash: 295151B24087859BC724EBA0C8819DFF3ECEF84340F14496FB199D7251EF75A6888766

Function 00BF88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BF896E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1f4af682fca2d929f6766ab6d463d5fcf75d0f0e3603b35fc7d8cf4b07d8c502
Instruction ID: 9824939377e636f3d08592699030680370c011bc3fcb25ea5413114675404865
Opcode Fuzzy Hash: 1f4af682fca2d929f6766ab6d463d5fcf75d0f0e3603b35fc7d8cf4b07d8c502
Instruction Fuzzy Hash: 69517030A0020DBADF209F28CC85BB97BE5EF05350F608196FB15E71A1DF71A998DB91

Function 00B72B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00BAC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BAC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BAC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00BAC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BAC5C0
DestroyIcon.USER32(00000000), ref: 00BAC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BAC5EC
DestroyIcon.USER32(?), ref: 00BAC5FB

Part of subcall function 00BFA71E: DeleteObject.GDI32(00000000), ref: 00BFA757

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 3f5e99d318f2e8cca359eb4a8d20dfc1312536116543663f4d4202672fbca414
Instruction ID: 0bb5c70a062a9a91d36f9ec04e9180d85215c6ec0d681fe44838a86ef0daba31
Opcode Fuzzy Hash: 3f5e99d318f2e8cca359eb4a8d20dfc1312536116543663f4d4202672fbca414
Instruction Fuzzy Hash: 56514970A00209AFDB24DF24CC86BBA7BF5EF59310F1085A9F916972A0DB70ED90DB50

Function 00BC8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00BC8A84,00000B00,?,?), ref: 00BC8E0C
HeapAlloc.KERNEL32(00000000,?,00BC8A84,00000B00,?,?), ref: 00BC8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BC8A84,00000B00,?,?), ref: 00BC8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00BC8A84,00000B00,?,?), ref: 00BC8E30
DuplicateHandle.KERNEL32(00000000,?,00BC8A84,00000B00,?,?), ref: 00BC8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00BC8A84,00000B00,?,?), ref: 00BC8E43
GetCurrentProcess.KERNEL32(00BC8A84,00000000,?,00BC8A84,00000B00,?,?), ref: 00BC8E4B
DuplicateHandle.KERNEL32(00000000,?,00BC8A84,00000B00,?,?), ref: 00BC8E4E
CreateThread.KERNEL32(00000000,00000000,00BC8E74,00000000,00000000,00000000), ref: 00BC8E68

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c623ffc7268015835dda13d8b2f34bf787fdb5960213748eca6e307fc71c594b
Instruction ID: 4268a354dcbc51311d9393d0e60e02603a9a983ce9bb0ec0c205f388ab8d7245
Opcode Fuzzy Hash: c623ffc7268015835dda13d8b2f34bf787fdb5960213748eca6e307fc71c594b
Instruction Fuzzy Hash: 6801A8B5240309FFEA10ABA5DC89F7B3BACEF89711F004421FA05DB2A1CA709910CA20

Function 00BE9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BE947C
VariantInit.OLEAUT32(?), ref: 00BE954D
VariantInit.OLEAUT32(?), ref: 00BE964E
VariantClear.OLEAUT32(?), ref: 00BE9658
VariantClear.OLEAUT32(?), ref: 00BE96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00BE9631
Null Object assignment in FOR..IN loop, xrefs: 00BE94DD, 00BE960B, 00BE96C3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: c00b4a2ff1f54e333ad1300a6d30b56bd879548852ebed3104b0ed48ad07478e
Instruction ID: ac6cc9ca6125c99bde1a363fa04c89b8d5a7225861a0492e779e66c8db569ecb
Opcode Fuzzy Hash: c00b4a2ff1f54e333ad1300a6d30b56bd879548852ebed3104b0ed48ad07478e
Instruction Fuzzy Hash: 3891B271A00255AFDF24DFA6D884FAEB7F8EF45710F1081AAF515AB280D7709949CFA0

Function 00BE9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00BC7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?,?,00BC799D), ref: 00BC766F
Part of subcall function 00BC7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?), ref: 00BC768A
Part of subcall function 00BC7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?), ref: 00BC7698
Part of subcall function 00BC7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?), ref: 00BC76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00BE9B1B
_memset.LIBCMT ref: 00BE9B28
_memset.LIBCMT ref: 00BE9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00BE9C97
CoTaskMemFree.OLE32(?), ref: 00BE9CA2

Strings

NULL Pointer assignment, xrefs: 00BE9CF0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7a8d83533d58c983d70ec00b4e4f44ae52c09c9d20819d49a18b78804df5b3a9
Instruction ID: d970b76c4710b2197d7d6bc47993ea38f1e587211426abcb19ad4fbd5f91b794
Opcode Fuzzy Hash: 7a8d83533d58c983d70ec00b4e4f44ae52c09c9d20819d49a18b78804df5b3a9
Instruction Fuzzy Hash: 59911A71D00229ABDF10DFA5DC85ADEBBF9EF08710F2081AAE519A7241DB715A44CFA0

Function 00BF6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BF7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00BF70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BF70C1
_wcscat.LIBCMT ref: 00BF711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00BF7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BF7161

Strings

SysListView32, xrefs: 00BF7065

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 850978ab9ab12c3b7a453ed88e9928b33859eef98b7453077d33ceaa1ca38dac
Instruction ID: 6534a264c49c02dd2e6edafe502c40da50ccfcb56a5bc4895707364bcce3ee89
Opcode Fuzzy Hash: 850978ab9ab12c3b7a453ed88e9928b33859eef98b7453077d33ceaa1ca38dac
Instruction Fuzzy Hash: 2A416F71944309ABDB219F64CC85BFE77E8EF08350F1045AAF644E7291DA719D88CB60

Function 00BEEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00BD3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00BD3EB6
Part of subcall function 00BD3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00BD3EC4
Part of subcall function 00BD3E91: CloseHandle.KERNEL32(00000000), ref: 00BD3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEECB8
GetLastError.KERNEL32 ref: 00BEECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BEECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00BEED77
GetLastError.KERNEL32(00000000), ref: 00BEED82
CloseHandle.KERNEL32(00000000), ref: 00BEEDB7

Strings

SeDebugPrivilege, xrefs: 00BEECD6

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 99a36b20fb2b0642f17b7b4da4d00a081c8cabba39830cc96d2049868d91d09e
Instruction ID: 64e99e2a010b802fb6b71841931c650122f26281d8739ce707829428956530e8
Opcode Fuzzy Hash: 99a36b20fb2b0642f17b7b4da4d00a081c8cabba39830cc96d2049868d91d09e
Instruction Fuzzy Hash: 9A4174712002029FDB15EF24CC95F7AB7E1AF80714F0880A9F9569B292DBB5A904CB96

Function 00BD3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00BD32C5

Strings

stop, xrefs: 00BD3296
info, xrefs: 00BD3266
blank, xrefs: 00BD3247
warning, xrefs: 00BD32AE
question, xrefs: 00BD327E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 76391982e99ce98ce2953eecb9f3ad930a684f0b96a395acc33b44929cd3a69b
Instruction ID: b463a86295add4a6e33a8569dd30bb329f90fa44680be7fe634db5b99bb259b9
Opcode Fuzzy Hash: 76391982e99ce98ce2953eecb9f3ad930a684f0b96a395acc33b44929cd3a69b
Instruction Fuzzy Hash: 2D11EB35A48356BB9B016A54EC82C6BF3DCDF19B70F2000BBF504B6383F6655B4045A6

Function 00BD4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BD454E
LoadStringW.USER32(00000000), ref: 00BD4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BD456B
LoadStringW.USER32(00000000), ref: 00BD4572
_wprintf.LIBCMT ref: 00BD4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BD45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00BD4593

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: b650a2e371fa0cafa756c12943c41d1b92977eb6775f6ff59ed6ef20a74a60b8
Instruction ID: 7e32d95c053ed1a3aecede56d93c7495f18eec7743f0e5743d231d22bb3c79cc
Opcode Fuzzy Hash: b650a2e371fa0cafa756c12943c41d1b92977eb6775f6ff59ed6ef20a74a60b8
Instruction Fuzzy Hash: C7014FF2900209BFE710A7A49D89EF677ACDB08701F0005A6BB45E3151EE749E85CB75

Function 00BFD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

GetSystemMetrics.USER32(0000000F), ref: 00BFD78A
GetSystemMetrics.USER32(0000000F), ref: 00BFD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BFD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BFDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BFDA24
ShowWindow.USER32(00000003,00000000), ref: 00BFDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00BFDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00BFDA8B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 88aa55a055ba86e1518ad8743dba7bc2d2f6b8c1315a6aacabf586c8eeaa8c82
Instruction ID: 77dfcda9b25e911282e8fd0a638797afd2fae7bce8644cd5bd16792f16c8e2e8
Opcode Fuzzy Hash: 88aa55a055ba86e1518ad8743dba7bc2d2f6b8c1315a6aacabf586c8eeaa8c82
Instruction Fuzzy Hash: 3DB1687160021AABDF14CF68C9857BD7BF2FF04701F08C1A9EE489B295DB74A958CB60

Function 00B72A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BAC417,00000004,00000000,00000000,00000000), ref: 00B72ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00BAC417,00000004,00000000,00000000,00000000,000000FF), ref: 00B72B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00BAC417,00000004,00000000,00000000,00000000), ref: 00BAC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00BAC417,00000004,00000000,00000000,00000000), ref: 00BAC4D6

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ee35cbe485aa442726b8c03d67228aebed23bf32ef81a4a56ab5a7cda2f87402
Instruction ID: cbb00b6e7bf881b14231a0e674dd59c47c66ae1c8127d1b2c1cf4431f847e560
Opcode Fuzzy Hash: ee35cbe485aa442726b8c03d67228aebed23bf32ef81a4a56ab5a7cda2f87402
Instruction Fuzzy Hash: 4B410930608B81AEC7358B288CD9B7A7FD2EF4A300F28C8DDE06F87661CA759845D711

Function 00BD7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00BD737F

Part of subcall function 00B90FF6: std::exception::exception.LIBCMT ref: 00B9102C
Part of subcall function 00B90FF6: __CxxThrowException@8.LIBCMT ref: 00B91041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00BD73B6
EnterCriticalSection.KERNEL32(?), ref: 00BD73D2
_memmove.LIBCMT ref: 00BD7420
_memmove.LIBCMT ref: 00BD743D
LeaveCriticalSection.KERNEL32(?), ref: 00BD744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00BD7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00BD7480

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 923e1eca28d274cbf18ae3b62f55f566d40746a0e6627bcf74a3bd830fd3f2bb
Instruction ID: 3b8ca1454f93c39f65c8c067e0463bfe3d54e4aa6f82b19e3d5c12c8ed14e0dd
Opcode Fuzzy Hash: 923e1eca28d274cbf18ae3b62f55f566d40746a0e6627bcf74a3bd830fd3f2bb
Instruction Fuzzy Hash: 13318131904206EBCF10EF58DC85ABEBBB8EF44710B1441F5F904AB246EB319A10DBA4

Function 00BF6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00BF645A
GetDC.USER32(00000000), ref: 00BF6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BF646D
ReleaseDC.USER32(00000000,00000000), ref: 00BF6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BF64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BF64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BF9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00BF6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BF6520

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c66370d4b29b53c68dddee404aaef2218147c27581ad864fb8da2e1a7160c5ac
Instruction ID: d8e7c340ba6f2560f8bfa57a99098bc63dd46f25d84ec8241ebc0fb6616dc79c
Opcode Fuzzy Hash: c66370d4b29b53c68dddee404aaef2218147c27581ad864fb8da2e1a7160c5ac
Instruction Fuzzy Hash: 3B315C72201218BFEB118F54CC8AFBA3BA9EF19761F044065FE08EB295DA759841CB64

Function 00BCC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00BCC087
_memcmp.LIBCMT ref: 00BCC0A9
_memcmp.LIBCMT ref: 00BCC0C1
_memcmp.LIBCMT ref: 00BCC0D4
_memcmp.LIBCMT ref: 00BCC0EE
_memcmp.LIBCMT ref: 00BCC101
_memcmp.LIBCMT ref: 00BCC119
_memcmp.LIBCMT ref: 00BCC134

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4fa53bbdbb6c142e767a6a8d73a0133307866551ebca33c59924b6b020ce426f
Instruction ID: bc91474fba253731881aedd5af24f00d7ba077491f116f931bd8f75ec2c155db
Opcode Fuzzy Hash: 4fa53bbdbb6c142e767a6a8d73a0133307866551ebca33c59924b6b020ce426f
Instruction Fuzzy Hash: 5421A762A00206B7EA15A5258D86FAF3BDCEF30394B0840B9FE0D962C2E751DD11D2A5

Function 00BDED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

Part of subcall function 00B8FEC6: _wcscpy.LIBCMT ref: 00B8FEE9

_wcstok.LIBCMT ref: 00BDEEFF
_wcscpy.LIBCMT ref: 00BDEF8E
_memset.LIBCMT ref: 00BDEFC1

Strings

X, xrefs: 00BDEFFE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 2f5d0f13737c527218dff8b8cf5becda2bd926c185bbf3c5dd26e72fa3b53f53
Instruction ID: b73508ccd44a5f7fac5d148bba23cae822e4571ae33414981e93e448882c6983
Opcode Fuzzy Hash: 2f5d0f13737c527218dff8b8cf5becda2bd926c185bbf3c5dd26e72fa3b53f53
Instruction Fuzzy Hash: E5C153715083019FD724EF24C881A6AF7E4EF85310F1489ADF5AA9B3A2DB70ED45CB52

Function 00BE6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BE6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BE6F35
WSAGetLastError.WSOCK32(00000000), ref: 00BE6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00BE6FFE
inet_ntoa.WSOCK32(?), ref: 00BE6FBB

Part of subcall function 00BCAE14: _strlen.LIBCMT ref: 00BCAE1E
Part of subcall function 00BCAE14: _memmove.LIBCMT ref: 00BCAE40

_strlen.LIBCMT ref: 00BE7058
_memmove.LIBCMT ref: 00BE70C1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 80a5778101cf8bc56bf547b4f18642191c94a68a194d53167f1a9733a77ae048
Instruction ID: e86f1f73685e38bcbd5ae1dd36bd9e7d150fe33a5439faf906e7174cbf177899
Opcode Fuzzy Hash: 80a5778101cf8bc56bf547b4f18642191c94a68a194d53167f1a9733a77ae048
Instruction Fuzzy Hash: 1E81D131508340ABD710EB25CC85E6BB7E9EF84714F1089ADF56A9B2A2DF709D05CB92

Function 00B71424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222a8a70f52a55c4bc5321a6f2d0d5653ea2198f3a15a2b4566a2a2ec075bf60
Instruction ID: 35d86905f4ce835922f367b881e012265d186836b98f55be9d213eed833707c3
Opcode Fuzzy Hash: 222a8a70f52a55c4bc5321a6f2d0d5653ea2198f3a15a2b4566a2a2ec075bf60
Instruction Fuzzy Hash: 87714B70904109EFCB148F9DC889EBEBBB9FF85310F14C599E929AB251C734AA51CF64

Function 00BFB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016954A0), ref: 00BFB6A5
IsWindowEnabled.USER32(016954A0), ref: 00BFB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00BFB795
SendMessageW.USER32(016954A0,000000B0,?,?), ref: 00BFB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00BFB809
GetWindowLongW.USER32(016954A0,000000EC), ref: 00BFB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BFB843

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2786394aec2ea4f27ebc64db6e24c9ecbdabf0bc98657007d68738aca25ba124
Instruction ID: b089282ff3a3b8b7cb3f76ac19ef49be79a673540fe52cc1187e782f8e0bca43
Opcode Fuzzy Hash: 2786394aec2ea4f27ebc64db6e24c9ecbdabf0bc98657007d68738aca25ba124
Instruction Fuzzy Hash: 48717D74604209BFDB24AF64C8D4FBABBF9FF49300F1440A9EA55972A1CB31AD49CB54

Function 00BEF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BEF75C
_memset.LIBCMT ref: 00BEF825
ShellExecuteExW.SHELL32(?), ref: 00BEF86A

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

Part of subcall function 00B8FEC6: _wcscpy.LIBCMT ref: 00B8FEE9

GetProcessId.KERNEL32(00000000), ref: 00BEF8E1
CloseHandle.KERNEL32(00000000), ref: 00BEF910

Strings

@, xrefs: 00BEF839

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 8c5fc0295edd88c5836e5e3e954908ac8473d3d468009e0541c592dac5d3d08c
Instruction ID: 5b1169eac3eae11c2e1ce383f10daa7d11ec899718013d9cdd89d1de28265f70
Opcode Fuzzy Hash: 8c5fc0295edd88c5836e5e3e954908ac8473d3d468009e0541c592dac5d3d08c
Instruction Fuzzy Hash: 10618F75A0065ADFCF14EF55C481AAEBBF5FF48310F1484A9E85AAB351CB31AE41CB90

Function 00BD145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00BD149C
GetKeyboardState.USER32(?), ref: 00BD14B1
SetKeyboardState.USER32(?), ref: 00BD1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00BD1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00BD155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00BD15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BD15C8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2ce0c7a1d99f339d1d2991eb6b7b445ad65258701269cd27d478b9022ac7ee8c
Instruction ID: 321c326f4361f800ea8458df1309afa40bcce0ccc2132972a7fc459e3a568f5f
Opcode Fuzzy Hash: 2ce0c7a1d99f339d1d2991eb6b7b445ad65258701269cd27d478b9022ac7ee8c
Instruction Fuzzy Hash: BD51E5A06047D63DFB36463C8C45BB6FEE99B46304F0848CAE1D556AD2E698EC84DB50

Function 00BD1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00BD12B5
GetKeyboardState.USER32(?), ref: 00BD12CA
SetKeyboardState.USER32(?), ref: 00BD132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BD1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BD1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BD13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BD13D9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c137e4409d9125473110380397fcf7132a735ec962b8edaccbd5a197748946e9
Instruction ID: 5f6a5274e2ef96cf2ec8fb7f12171443ab080163cfbc2dda2d1023500f610c0e
Opcode Fuzzy Hash: c137e4409d9125473110380397fcf7132a735ec962b8edaccbd5a197748946e9
Instruction Fuzzy Hash: 2B5126A05047D63DFB3287288C41B7AFFE99F06310F0888CAE1D856AC2E795EC94D754

Function 00BD589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00BD58AC
_wcsncpy.LIBCMT ref: 00BD58E1
_wcsncpy.LIBCMT ref: 00BD5913
_wcsncpy.LIBCMT ref: 00BD5946
_wcsncpy.LIBCMT ref: 00BD5988
_wcsncpy.LIBCMT ref: 00BD59C2
_wcsncpy.LIBCMT ref: 00BD59F1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 50b1c420be89c4d2079c16bfb28f38ef8660e29d28876579d19bcb14fa7ecc17
Instruction ID: f42054fbd209016ce0e68befb8ce7cf13e99d268daa0e8cc5281a7f8acf57c0e
Opcode Fuzzy Hash: 50b1c420be89c4d2079c16bfb28f38ef8660e29d28876579d19bcb14fa7ecc17
Instruction Fuzzy Hash: CE413E65C2062876CF11EBB48886DCFB7E8AF05710F5095A6F518E3221F734E715C7AA

Function 00BD38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BD38D3,?), ref: 00BD48C7

Part of subcall function 00BD48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BD38D3,?), ref: 00BD48E0

lstrcmpiW.KERNEL32(?,?), ref: 00BD38F3
_wcscmp.LIBCMT ref: 00BD390F
MoveFileW.KERNEL32(?,?), ref: 00BD3927
_wcscat.LIBCMT ref: 00BD396F
SHFileOperationW.SHELL32(?), ref: 00BD39DB

Strings

\*.*, xrefs: 00BD3969

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 7172341d51ff2e195aec192ff45db4ff4f629b4b7f7112538efe0b3bda918f25
Instruction ID: 6abe600e6bb2fb09b0c92d6c9eb563b31795ec81ccb4e7c1fd9ea9c599a28cc5
Opcode Fuzzy Hash: 7172341d51ff2e195aec192ff45db4ff4f629b4b7f7112538efe0b3bda918f25
Instruction Fuzzy Hash: 9C417EB14093449AC751EF64C491AEBF7E8EF88740F4409AFB48AC3252FB78D688C752

Function 00BF7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BF7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BF75C0
IsMenu.USER32(?), ref: 00BF75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BF7620
DrawMenuBar.USER32 ref: 00BF7633

Strings

0, xrefs: 00BF750D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1aa93808aa4b3e16c8318e3e7ef6b0cdf86bcf7ee3591e1cba3a1a124a77a87c
Instruction ID: 6bd38599a6dd77cba09a4f5afac0ae3a54507ef87ea54a73af124fc22bf2e9bf
Opcode Fuzzy Hash: 1aa93808aa4b3e16c8318e3e7ef6b0cdf86bcf7ee3591e1cba3a1a124a77a87c
Instruction Fuzzy Hash: A4411B75A04609EFDB10DF94D884EAABBF9FF08354F0481A9EA5597390DB30AD54CFA0

Function 00BF122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BF125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BF1286
FreeLibrary.KERNEL32(00000000), ref: 00BF133D

Part of subcall function 00BF122D: RegCloseKey.ADVAPI32(?), ref: 00BF12A3
Part of subcall function 00BF122D: FreeLibrary.KERNEL32(?), ref: 00BF12F5
Part of subcall function 00BF122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BF1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00BF12E0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: bd03b53d90dacc85a48103f00d4795e1d8226f5608b8cd9dba2e79b4921d9bf1
Instruction ID: cdcfebb469ccd74bf20c1de99d9f687c27ca56627f56037c7fb0ceccea6910f9
Opcode Fuzzy Hash: bd03b53d90dacc85a48103f00d4795e1d8226f5608b8cd9dba2e79b4921d9bf1
Instruction Fuzzy Hash: 68310AB190111DFFDB159FA4DC89AFEB7BCEF08300F0009A9E601E3551EA749E499AA4

Function 00BF653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BF655B
GetWindowLongW.USER32(016954A0,000000F0), ref: 00BF658E
GetWindowLongW.USER32(016954A0,000000F0), ref: 00BF65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BF65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BF661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00BF6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BF664A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 48986ef8e03174846f4a7f565a8475ea5f513ac7f6be05edbbd1da061e1e1eb0
Instruction ID: b2a4baf895134ad1fde0e0df4dad2be25e0296ddd187b8a6bb51d326199828b6
Opcode Fuzzy Hash: 48986ef8e03174846f4a7f565a8475ea5f513ac7f6be05edbbd1da061e1e1eb0
Instruction Fuzzy Hash: 1A310331604259AFDB20CF18DC85F693BE1FB5A710F1941A8FA11DB2B6CB71AC48DB51

Function 00BE6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BE80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BE64D9
WSAGetLastError.WSOCK32(00000000), ref: 00BE64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BE6521
connect.WSOCK32(00000000,?,00000010), ref: 00BE652A
WSAGetLastError.WSOCK32 ref: 00BE6534
closesocket.WSOCK32(00000000), ref: 00BE655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BE6576

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 56616efded7e3bdce385c639a5a6ca76e7897403601a5af9a14f5c72a0db9da4
Instruction ID: bcbc69d438eded3947d6d765ca6a347a890491f3a2af948093a30ada2694ada8
Opcode Fuzzy Hash: 56616efded7e3bdce385c639a5a6ca76e7897403601a5af9a14f5c72a0db9da4
Instruction Fuzzy Hash: 88319371600118AFDB10AF25CC85BBE7BF9EF54764F0480A9F90997291DB74AD04CB61

Function 00BCE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BCE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BCE120
SysAllocString.OLEAUT32(00000000), ref: 00BCE123
SysAllocString.OLEAUT32 ref: 00BCE144
SysFreeString.OLEAUT32 ref: 00BCE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00BCE167
SysAllocString.OLEAUT32(?), ref: 00BCE175

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4bbd2b75aa8b0edf5c505b06641b9897328871678ef9b5efe557553e5647d095
Instruction ID: dd3fccde45cae7950d4cfb2746ceadf23df10540ada6ee6e0045c7490cb65a89
Opcode Fuzzy Hash: 4bbd2b75aa8b0edf5c505b06641b9897328871678ef9b5efe557553e5647d095
Instruction Fuzzy Hash: 44214136604109EF9B10AFA8DC89DBB77ECEF09760B148179FA25DB260DA70DD41CB64

Function 00BF783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B71D73
Part of subcall function 00B71D35: GetStockObject.GDI32(00000011), ref: 00B71D87
Part of subcall function 00B71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B71D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BF78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BF78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BF78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BF78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BF78D4

Strings

Msctls_Progress32, xrefs: 00BF7872

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 36ab5ce244249309e87044cb9790d1178f976ef8fe784ba8811159d528ac7a60
Instruction ID: 130e62f6c28363217597ecfd626b49e26f0b8a5397bca748eca298cb35120f5d
Opcode Fuzzy Hash: 36ab5ce244249309e87044cb9790d1178f976ef8fe784ba8811159d528ac7a60
Instruction Fuzzy Hash: 26118EB215021DBEEF159E65CC85EEB7F6DEF08798F014124BB04A3090CB72AC21DBA4

Function 00B941C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B94292,?), ref: 00B941E3
GetProcAddress.KERNEL32(00000000), ref: 00B941EA
EncodePointer.KERNEL32(00000000), ref: 00B941F6
DecodePointer.KERNEL32(00000001,00B94292,?), ref: 00B94213

Strings

combase.dll, xrefs: 00B941DE
RoInitialize, xrefs: 00B941D2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 9030f59d12e1dc0ecab761f94616e22675a7cff45e71156a648954f50f89aaf9
Instruction ID: b22c44451fc06ed08f9bc204b6cd74d68fbb89a78b2d34ac1bdf7f2190f9d0c3
Opcode Fuzzy Hash: 9030f59d12e1dc0ecab761f94616e22675a7cff45e71156a648954f50f89aaf9
Instruction Fuzzy Hash: 1CE0E5B06A0742AAEF246BB0EC4DB3C3AA4BB22702F104474B411E70E0DBB55491CE04

Function 00B9429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B941B8), ref: 00B942B8
GetProcAddress.KERNEL32(00000000), ref: 00B942BF
EncodePointer.KERNEL32(00000000), ref: 00B942CA
DecodePointer.KERNEL32(00B941B8), ref: 00B942E5

Strings

combase.dll, xrefs: 00B942B3
RoUninitialize, xrefs: 00B942A7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2851f1f6a1bf5a6495cb6583de97816b6b79db727b50b5dd316c849e4d67a4d7
Instruction ID: 71986f9c0f25f6318b43334531bc33a77d3d63652acdf3d789cc255e8e106a0a
Opcode Fuzzy Hash: 2851f1f6a1bf5a6495cb6583de97816b6b79db727b50b5dd316c849e4d67a4d7
Instruction Fuzzy Hash: 7BE0B6785A1702ABEF149B60ED0DF2D3AA4BB24742F104034F001E31A0CFB45984DA18

Function 00BD675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD68AD
_memmove.LIBCMT ref: 00BD67E8

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

_memmove.LIBCMT ref: 00BD685B
_memmove.LIBCMT ref: 00BD6942
_memmove.LIBCMT ref: 00BD695B
_memmove.LIBCMT ref: 00BD6977

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: cd0f19026607771e4206361ee0657024ef77af5333a46932f83a890dab33a7b6
Instruction ID: 14b1c6e1fc66b92a05f0c5c9689d05de8a8c571f2eb1127ed66ccab33705fca2
Opcode Fuzzy Hash: cd0f19026607771e4206361ee0657024ef77af5333a46932f83a890dab33a7b6
Instruction Fuzzy Hash: 7961AD3050065A9BDF11EF24CC91EFEB7E5EF44308F0485AAF9695B292EB35AD01DB50

Function 00BF046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BF0038,?,?), ref: 00BF10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BF0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BF0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BF05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BF05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BF0617
RegCloseKey.ADVAPI32(00000000), ref: 00BF0624

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 274d7fc4d9413d3cdf057900d6f9323d1467d669ae7c42aca0df1b0ded2ed825
Instruction ID: b1baf86a23a61acb27ae2c99f132aa4414d5a6075cce6e7211893b050f2a54c5
Opcode Fuzzy Hash: 274d7fc4d9413d3cdf057900d6f9323d1467d669ae7c42aca0df1b0ded2ed825
Instruction Fuzzy Hash: 85514C31118205AFCB14EF64C885E7EBBE9FF84314F0489ADF555972A2DB71E908CB52

Function 00BF5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00BF5A82
GetMenuItemCount.USER32(00000000), ref: 00BF5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BF5AE1
GetMenuItemID.USER32(?,?), ref: 00BF5B50
GetSubMenu.USER32(?,?), ref: 00BF5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00BF5BAF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 4e39b1f8600e845e0d870e77c5c8907cf566670f2abba3688dc26af818946bac
Instruction ID: 4218266bf0914036ea86679b15c302a1ba3fc3324fd9a7b40973b3d60727230d
Opcode Fuzzy Hash: 4e39b1f8600e845e0d870e77c5c8907cf566670f2abba3688dc26af818946bac
Instruction Fuzzy Hash: 4B516035A00619AFDF21DF64C885ABEB7F4EF48310F1044A9EA15B7352CB71AE45CB90

Function 00BCF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BCF3F7
VariantClear.OLEAUT32(00000013), ref: 00BCF469
VariantClear.OLEAUT32(00000000), ref: 00BCF4C4
_memmove.LIBCMT ref: 00BCF4EE
VariantClear.OLEAUT32(?), ref: 00BCF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BCF569

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 2881c7efea1aaf2d279c4a1276af4b1fb08091b78ed404e60c1bea9ae2ed9977
Instruction ID: 08714c52c7d7d3bd4f76ef533208fce2823fb7b4fc2c2e7db5c02b46b4c06b99
Opcode Fuzzy Hash: 2881c7efea1aaf2d279c4a1276af4b1fb08091b78ed404e60c1bea9ae2ed9977
Instruction Fuzzy Hash: 3E514CB5A0020A9FCB14CF58D884EAAB7F9FF4C354B1585A9E959DB310D730E911CBA0

Function 00BD26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD2792
IsMenu.USER32(00000000), ref: 00BD27B2
CreatePopupMenu.USER32 ref: 00BD27E6
GetMenuItemCount.USER32(000000FF), ref: 00BD2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00BD2875

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 45b1a1cccc8010f2f89f8636a29648835e8e69fd755d0db46457e784ccf3ea45
Instruction ID: 8c9582ece7dc30622b4149de55e57626f3cf044fa2a795202b86252a7a0cce7d
Opcode Fuzzy Hash: 45b1a1cccc8010f2f89f8636a29648835e8e69fd755d0db46457e784ccf3ea45
Instruction Fuzzy Hash: DA51A070A00286DBDF25CF68D988BADFBF5EF64314F1042AAE4119B390E7729D04DB51

Function 00B71765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00B7179A
GetWindowRect.USER32(?,?), ref: 00B717FE
ScreenToClient.USER32(?,?), ref: 00B7181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B7182C
EndPaint.USER32(?,?), ref: 00B71876

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 046ca07e9de1f25c87217fa4cd24025932c01a5cf87888e25476fd0b869f3261
Instruction ID: 5a77b5850df52300d780f83c777a9b0c3994044d187658501f1d290d6fc0e7ba
Opcode Fuzzy Hash: 046ca07e9de1f25c87217fa4cd24025932c01a5cf87888e25476fd0b869f3261
Instruction Fuzzy Hash: 79417471104301AFD710DF29CC84F7A7BF8EB49724F148AA9F569872A2CB319945DB62

Function 00BFB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00C367B0,00000000,016954A0,?,?,00C367B0,?,00BFB862,?,?), ref: 00BFB9CC
EnableWindow.USER32(00000000,00000000), ref: 00BFB9F0
ShowWindow.USER32(00C367B0,00000000,016954A0,?,?,00C367B0,?,00BFB862,?,?), ref: 00BFBA50
ShowWindow.USER32(00000000,00000004,?,00BFB862,?,?), ref: 00BFBA62
EnableWindow.USER32(00000000,00000001), ref: 00BFBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BFBAA9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5bdf20185a667d09f0d11274b9610f5d704c735c9d1919b6fb485c894c6b66fb
Instruction ID: 0746d8ecb0abba1b90c998a3e5c44ac7fd6124f49c8c9ac24fd769758de8dc2d
Opcode Fuzzy Hash: 5bdf20185a667d09f0d11274b9610f5d704c735c9d1919b6fb485c894c6b66fb
Instruction Fuzzy Hash: 0C411C34600249AFDB25CF54C889FB57BE1EF05314F1881E9EB588F6A2CB71A849CB51

Function 00BE73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00BE5134,?,?,00000000,00000001), ref: 00BE73BF

Part of subcall function 00BE3C94: GetWindowRect.USER32(?,?), ref: 00BE3CA7

GetDesktopWindow.USER32 ref: 00BE73E9
GetWindowRect.USER32(00000000), ref: 00BE73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00BE7422

Part of subcall function 00BD54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BD555E

GetCursorPos.USER32(?), ref: 00BE744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BE74AC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f651ab4d1d5cf8c844f9ca50b719c8ad078ed0693ed1157d70a0c7a3bad17388
Instruction ID: 75d52e7d5fd7681e553ff12a624b2e32e46c03816a029c80ed5f75368f256041
Opcode Fuzzy Hash: f651ab4d1d5cf8c844f9ca50b719c8ad078ed0693ed1157d70a0c7a3bad17388
Instruction Fuzzy Hash: 8731D772508346AFD720DF55D849F6BBBE9FF88314F00091AF59997291DB30E948CB92

Function 00BC8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC8608
Part of subcall function 00BC85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC8612
Part of subcall function 00BC85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC8621
Part of subcall function 00BC85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC8628
Part of subcall function 00BC85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC863E

GetLengthSid.ADVAPI32(?,00000000,00BC8977), ref: 00BC8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BC8DB8
HeapAlloc.KERNEL32(00000000), ref: 00BC8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00BC8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00BC8977), ref: 00BC8DEC
HeapFree.KERNEL32(00000000), ref: 00BC8DF3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9bec16dafbb20b0578ce82b76897cdfea7a2277faeca11e28524e0a309ce6892
Instruction ID: 6e6c96ce907eb00a4794b862f55c581d2444430ef44fa7b6821dd649fcf33331
Opcode Fuzzy Hash: 9bec16dafbb20b0578ce82b76897cdfea7a2277faeca11e28524e0a309ce6892
Instruction Fuzzy Hash: 3D119A32600606FBDB109FA4CC49FBE7BA9EF55316F1040ADE946A7250CF32AA40CB60

Function 00BC8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BC8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00BC8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BC8B40
CloseHandle.KERNEL32(00000004), ref: 00BC8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BC8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00BC8B8E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d81afb7967b8124ea76cf30f535edd883f54a93263f9169557b2ce30443229d5
Instruction ID: 1d1f0b6b3084519fad93a0f37716851b4d91fda33ed1e99f367bb5162d7e6144
Opcode Fuzzy Hash: d81afb7967b8124ea76cf30f535edd883f54a93263f9169557b2ce30443229d5
Instruction Fuzzy Hash: 6D112CB250120AABDF018FA4ED49FEA7BE9EF08304F044069FE04A3160CB769D60DB60

Function 00BFC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B7134D
Part of subcall function 00B712F3: SelectObject.GDI32(?,00000000), ref: 00B7135C
Part of subcall function 00B712F3: BeginPath.GDI32(?), ref: 00B71373
Part of subcall function 00B712F3: SelectObject.GDI32(?,00000000), ref: 00B7139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00BFC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00BFC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BFC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00BFC1F6
EndPath.GDI32(00000000), ref: 00BFC206
StrokePath.GDI32(00000000), ref: 00BFC216

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 42439bec82b24b465c829c4da846cf07d1c0f8fda8d40f3ded3324539c64cdef
Instruction ID: 348f9862706ddd6d69a0449a60a1850edb511e7bbea62d36c6ea0032967b1702
Opcode Fuzzy Hash: 42439bec82b24b465c829c4da846cf07d1c0f8fda8d40f3ded3324539c64cdef
Instruction Fuzzy Hash: 6C11C97640014DBFDB119F94DC88FBA7FADEF08354F048061BA189B1A1DB719E95DBA0

Function 00B903A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B903D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B903DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B903E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B903F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B903F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B90401

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7c46edf7243661953b90342dc5eeccad9f40c8a6bc0db8dbd18f3121bb3dc199
Instruction ID: 22ce2fa8c4e4d7a5aa7ab4dd281efb5d4c5cff3e8abfd7d53de17b89e184a6ad
Opcode Fuzzy Hash: 7c46edf7243661953b90342dc5eeccad9f40c8a6bc0db8dbd18f3121bb3dc199
Instruction Fuzzy Hash: 86016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 00BD568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BD569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BD56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00BD56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BD56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BD56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BD56E0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: eaba58ed5edbfb289826432515ac80810ee6a7017ebca1053408716acdddcad6
Instruction ID: e7e8efe42b6e5b950dac87d779083e9e8a4d1ea90f81fef5639654039d6b9a0e
Opcode Fuzzy Hash: eaba58ed5edbfb289826432515ac80810ee6a7017ebca1053408716acdddcad6
Instruction Fuzzy Hash: 3BF01D3224115ABBE7215BA29C0DEFB7A7CEFC6B11F000169FA04D31509EA15A01C6B5

Function 00BD74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00BD74E5
EnterCriticalSection.KERNEL32(?,?,00B81044,?,?), ref: 00BD74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00B81044,?,?), ref: 00BD7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B81044,?,?), ref: 00BD7510

Part of subcall function 00BD6ED7: CloseHandle.KERNEL32(00000000,?,00BD751D,?,00B81044,?,?), ref: 00BD6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00BD7523
LeaveCriticalSection.KERNEL32(?,?,00B81044,?,?), ref: 00BD752A

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1a52f263ec0b791247c26a82c88267aa57e682dc4a48286ecca59a2f798c877f
Instruction ID: ae0b1c8ea2f81a1abd3f7ec3c23cb588bd958f787f0c4c06a3ddf6eca7a1888b
Opcode Fuzzy Hash: 1a52f263ec0b791247c26a82c88267aa57e682dc4a48286ecca59a2f798c877f
Instruction Fuzzy Hash: 4BF03A3A140613ABDB111B64FC889FA7B6AEF45302B000572F202A31A0EF755901CE50

Function 00BC8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BC8E7F
UnloadUserProfile.USERENV(?,?), ref: 00BC8E8B
CloseHandle.KERNEL32(?), ref: 00BC8E94
CloseHandle.KERNEL32(?), ref: 00BC8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00BC8EA5
HeapFree.KERNEL32(00000000), ref: 00BC8EAC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6b50cb356a0baec8a4f6a815c91eb7718f54cde3962db672ef13518c33ad367f
Instruction ID: 2bacf9b76db9cf914a27720ed10fb426ae30060b65a0fe5ca657a6f241c561b7
Opcode Fuzzy Hash: 6b50cb356a0baec8a4f6a815c91eb7718f54cde3962db672ef13518c33ad367f
Instruction Fuzzy Hash: B5E0AE36004002EBDA012BE2EC0893ABB69EF89322B148220F22993070CF329420DB54

Function 00BE8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BE8928
CharUpperBuffW.USER32(?,?), ref: 00BE8A37
VariantClear.OLEAUT32(?), ref: 00BE8BAF

Part of subcall function 00BD7804: VariantInit.OLEAUT32(00000000), ref: 00BD7844
Part of subcall function 00BD7804: VariantCopy.OLEAUT32(00000000,?), ref: 00BD784D
Part of subcall function 00BD7804: VariantClear.OLEAUT32(00000000), ref: 00BD7859

Strings

AUTOIT.ERROR, xrefs: 00BE8A3D
Incorrect Parameter format, xrefs: 00BE8960, 00BE8B22

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 70034fda51ad36f807263c88c930f950cceeb54d170c168f7af5ed0652a775f4
Instruction ID: a1fb98369a2653ec627a7de9769f426ca3a25efa702896d789358a9ad4b27fff
Opcode Fuzzy Hash: 70034fda51ad36f807263c88c930f950cceeb54d170c168f7af5ed0652a775f4
Instruction Fuzzy Hash: 78918C75608741DFCB10DF25C48496ABBF4EF89714F0489AEF89A8B362DB31E905CB52

Function 00BD2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8FEC6: _wcscpy.LIBCMT ref: 00B8FEE9

_memset.LIBCMT ref: 00BD3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BD30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BD3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BD3187

Strings

0, xrefs: 00BD3063

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 90a50e7305aa06ab9c61ebe8076e5a0bf57499704ac389f6e4468c8e6c535c06
Instruction ID: a3fea57689394bdf6d58b9fc4535294148db71a4f32a902047cd6fcacbf9e6b8
Opcode Fuzzy Hash: 90a50e7305aa06ab9c61ebe8076e5a0bf57499704ac389f6e4468c8e6c535c06
Instruction Fuzzy Hash: A851D2716083029AD7259F28C845B6BF7E4EF55B50F044AAEF895E3292EB70CA44C753

Function 00BCDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BCDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BCDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BCDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BCDB8E

Strings

DllGetClassObject, xrefs: 00BCDB01

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ffb844e94f0dfce85700c60b7bd510dd475deb54b5bff3777ec5c538d501b598
Instruction ID: 79ae869d512d7cb0ea607e2ed48c18f244173fc49fa12b928476105015724fe7
Opcode Fuzzy Hash: ffb844e94f0dfce85700c60b7bd510dd475deb54b5bff3777ec5c538d501b598
Instruction Fuzzy Hash: D24148B5600209EFDB15CF54C884BAABBE9EF48351F1680BEA9059F205D7B1DE44DBA0

Function 00BD2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BD2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00BD2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C36890,00000000), ref: 00BD2D5A

Strings

0, xrefs: 00BD2CA4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f217e8098ce7e3a38a8606befd132167533fc88c6460f1d0ae0aa37aa2318eb6
Instruction ID: d6f933574ec0dd56d6dbccbdd33c60c6e6f745077b1d76e9e0dc88b4ddf34717
Opcode Fuzzy Hash: f217e8098ce7e3a38a8606befd132167533fc88c6460f1d0ae0aa37aa2318eb6
Instruction Fuzzy Hash: 7441B4301043829FD714DF24C884B2AFBE9EF95320F1446AEF96597391EB70E905CB92

Function 00BEDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BEDAD9

Part of subcall function 00B779AB: _memmove.LIBCMT ref: 00B779F9

Strings

stdcall, xrefs: 00BEDB5B
cdecl, xrefs: 00BEDB30
winapi, xrefs: 00BEDB4A
none, xrefs: 00BEDBB4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: b1ae152451316dd8a1e95bb4408588d08a1c12c5d2658b5681afc324d4d82396
Instruction ID: 10832a40d618d223e345afd6382dd8c60954129b5555e2bd5a365e5d422d91cb
Opcode Fuzzy Hash: b1ae152451316dd8a1e95bb4408588d08a1c12c5d2658b5681afc324d4d82396
Instruction Fuzzy Hash: B331847050461AAFCF10EF65CC819EEB7F4FF15310B1086A9E876A76D1DB71A905CB80

Function 00BC9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BCB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BC93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BC9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00BC9439

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

Strings

ComboBox, xrefs: 00BC9380
ListBox, xrefs: 00BC93B5

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 1ba9b63034265205d7a12b8beca27746c2b0e16f7e978af72b3c5ee19f4e73c4
Instruction ID: fd51d8c13127913345eafce6f7a88429b54c333b3c002c1df366ceb9d5194f3a
Opcode Fuzzy Hash: 1ba9b63034265205d7a12b8beca27746c2b0e16f7e978af72b3c5ee19f4e73c4
Instruction Fuzzy Hash: BD21B471940104BAEB28AB74DC8ADFFB7F8DF45350B1085ADF925972E1DF354A0AD620

Function 00BE1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BE1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BE1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BE1B96
InternetCloseHandle.WININET(00000000), ref: 00BE1BDD

Part of subcall function 00BE2777: GetLastError.KERNEL32(?,?,00BE1B0B,00000000,00000000,00000001), ref: 00BE278C
Part of subcall function 00BE2777: SetEvent.KERNEL32(?,?,00BE1B0B,00000000,00000000,00000001), ref: 00BE27A1

Strings

, xrefs: 00BE1B87

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fc3f98ab3be4ce68ce43ac003501db948c2f86c18f54f0569dc2d4820ef290bd
Instruction ID: fde0e580c5e1925d36f6c945a03c6718aa78e0041de7542c057411259dc3872a
Opcode Fuzzy Hash: fc3f98ab3be4ce68ce43ac003501db948c2f86c18f54f0569dc2d4820ef290bd
Instruction Fuzzy Hash: 1D21CFB1500248BFEB119F6A9CC5EBFB7ECEB49744F2005AAF505A7240EB349D049771

Function 00BF6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B71D73
Part of subcall function 00B71D35: GetStockObject.GDI32(00000011), ref: 00B71D87
Part of subcall function 00B71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B71D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BF66D0
LoadLibraryW.KERNEL32(?), ref: 00BF66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BF66EC
DestroyWindow.USER32(?), ref: 00BF66F4

Strings

SysAnimate32, xrefs: 00BF66AB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 3ba02a5d1ecc505b7b3c924355a5d0903ea8479ba7d2bbdd4fd3b869b1c23ac8
Instruction ID: 22abb00c1eae9966281cc4c1c3ebfc6240e558b4d144c024fb97f7db501dd528
Opcode Fuzzy Hash: 3ba02a5d1ecc505b7b3c924355a5d0903ea8479ba7d2bbdd4fd3b869b1c23ac8
Instruction Fuzzy Hash: 7821777120020ABBEF105E68EC80EBB77E9EF59368F104669FE10D71A0DB728C559760

Function 00BD703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00BD705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD7091
GetStdHandle.KERNEL32(0000000C), ref: 00BD70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00BD70DD

Strings

nul, xrefs: 00BD70D8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 228a885762bc72205da3ac3a6d9ef1d5b485421bfb657ca88ff22c361d6ea4f8
Instruction ID: 1f0bd5dac6123ce70a3522819980d6fae7536f3ad661347ffdb25d2edc961e59
Opcode Fuzzy Hash: 228a885762bc72205da3ac3a6d9ef1d5b485421bfb657ca88ff22c361d6ea4f8
Instruction Fuzzy Hash: F6215175544209ABDB209F68DC45AEAB7E8EF44720F204A6AFDA1D73D0FB709950CB50

Function 00BD710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BD712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BD715D
GetStdHandle.KERNEL32(000000F6), ref: 00BD716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00BD71A8

Strings

nul, xrefs: 00BD71A3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 265c408e1abc5f7f4d64db957ba7a3f165073bcc83e866a1475d78533f424073
Instruction ID: 64598fd26727d5ee9a01ed0e1590c1f53536d3ba3d4acf0c8d7c5ab77ce30ae4
Opcode Fuzzy Hash: 265c408e1abc5f7f4d64db957ba7a3f165073bcc83e866a1475d78533f424073
Instruction Fuzzy Hash: AF219075544206ABDB209F689C44AAAF7E8EF55720F200B9AF8A0E33D0FB709841CB50

Function 00BDAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00BDAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BDAF13
__swprintf.LIBCMT ref: 00BDAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00BFF910), ref: 00BDAF6A

Strings

%lu, xrefs: 00BDAF26

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1e207ad40cea0e7a584883b970a99634f99686d31e32c7f4038af1541de46871
Instruction ID: c2b412e303bbd49a138cbf49197ec75c672221f6c8af42a4a00bb9809be2b6e1
Opcode Fuzzy Hash: 1e207ad40cea0e7a584883b970a99634f99686d31e32c7f4038af1541de46871
Instruction Fuzzy Hash: C1214134A00109AFCB10DF64C985DAEBBF8EF89714B1080A9F909EB351DB71EA45CB61

Function 00BCA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

Part of subcall function 00BCA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BCA399
Part of subcall function 00BCA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BCA3AC
Part of subcall function 00BCA37C: GetCurrentThreadId.KERNEL32 ref: 00BCA3B3
Part of subcall function 00BCA37C: AttachThreadInput.USER32(00000000), ref: 00BCA3BA

GetFocus.USER32 ref: 00BCA554

Part of subcall function 00BCA3C5: GetParent.USER32(?), ref: 00BCA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00BCA59D
EnumChildWindows.USER32(?,00BCA615), ref: 00BCA5C5
__swprintf.LIBCMT ref: 00BCA5DF

Strings

%s%d, xrefs: 00BCA5D9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 9f8c3c2dd701a0ceab155e5891f9cf104e3e79316cf503e06dff912799c3cd07
Instruction ID: 2a941f17592133f5ed7deca697f69b1ece2a1226dfdec05de4fdaecf4276eba9
Opcode Fuzzy Hash: 9f8c3c2dd701a0ceab155e5891f9cf104e3e79316cf503e06dff912799c3cd07
Instruction Fuzzy Hash: 47116D71640209BBDF11BF64DC85FBA77F8AF88704F0440B9BA18AB152CE705A45CB79

Function 00BD2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00BD2048

Strings

APPEND, xrefs: 00BD2081
REMOVE, xrefs: 00BD204E
EXISTS, xrefs: 00BD2070
KEYS, xrefs: 00BD205F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 8f18aac1821e75e74b67b2ac58a55e6efd4e74e354784190432bc4f0295b57f5
Instruction ID: 8df5e754053566c7cfd5c87ee4c639a854d815d79d436d0ba5d60200cf49a367
Opcode Fuzzy Hash: 8f18aac1821e75e74b67b2ac58a55e6efd4e74e354784190432bc4f0295b57f5
Instruction Fuzzy Hash: 71113970910119EFCF00EFA4D9814AEB7F4FF25304B1488A9D855A7352EB326916CB51

Function 00BEEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BEEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BEEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00BEF07E
CloseHandle.KERNEL32(?), ref: 00BEF0FF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: ea7ca261d049d9e3aefa55323f1f44ae1cdf956ac05f8136e5e1e7f903aa7b18
Instruction ID: a0324c8278547cc7085bbdabfacde06ee62349aef514142a2bcf77381ef6c8a5
Opcode Fuzzy Hash: ea7ca261d049d9e3aefa55323f1f44ae1cdf956ac05f8136e5e1e7f903aa7b18
Instruction Fuzzy Hash: B98132716043019FD720DF25C886F6AB7E5EF88720F14886DF5A9D7292DB70AD40CB95

Function 00BF02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BF10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BF0038,?,?), ref: 00BF10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BF0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BF03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BF040E
RegCloseKey.ADVAPI32(?,?), ref: 00BF043A
RegCloseKey.ADVAPI32(00000000), ref: 00BF0447

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: e42c1057b4fd6e5be0061f47ca59f9dbcf40140a80d586cfd85fdcb4d6e669a5
Instruction ID: 704eeb8889c9110a421c7e20d9be4cea42c47e401fc69e34be9f46f0195e6a48
Opcode Fuzzy Hash: e42c1057b4fd6e5be0061f47ca59f9dbcf40140a80d586cfd85fdcb4d6e669a5
Instruction Fuzzy Hash: 77513F31214205AFD714EF64C881E7EB7E8FF88314F4489ADF655972A2DB30E908DB52

Function 00BEDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BEDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00BEDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00BEDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00BEDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BEDD35

Part of subcall function 00B75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BD7B20,?,?,00000000), ref: 00B75B8C
Part of subcall function 00B75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BD7B20,?,?,00000000,?,?), ref: 00B75BB0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: f8056fd2b45d3c5d617ac8746d539125e90ebe7d227a87b96033318537aa25e3
Instruction ID: 103e94375469b06c05f01f61d66b54893a728c76e8d94dde9f26e711ae6dbfd4
Opcode Fuzzy Hash: f8056fd2b45d3c5d617ac8746d539125e90ebe7d227a87b96033318537aa25e3
Instruction Fuzzy Hash: 8B511675A00245DFDB11EF69C8849ADB7F4EF48320B14C0A9E819AB351DBB0AD45CF91

Function 00BDE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BDE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00BDE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BDE8F2

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BDE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BDE91F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c06f6acc8ea1c0a5435f215cb8a175a50a3feaae1bd159376a8db2ff430d069f
Instruction ID: 44db0dbe654457cf0710bda37c6421647f896148ae7151fb78dc2f4b2c1e2800
Opcode Fuzzy Hash: c06f6acc8ea1c0a5435f215cb8a175a50a3feaae1bd159376a8db2ff430d069f
Instruction Fuzzy Hash: 3E510935A00609DFDF11EF64C981AAEBBF5EF48310B1480A9E959AB362DB31ED11DB50

Function 00BFA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790596698a17a4dd3f8eb8de663ecdedb548fe3b2552421463634b616e79f769
Instruction ID: 8e24c61d0787e1ba57b09accaec4e5655ae72ea1ef45ffafef8332d89ce8b7b5
Opcode Fuzzy Hash: 790596698a17a4dd3f8eb8de663ecdedb548fe3b2552421463634b616e79f769
Instruction Fuzzy Hash: 1241E6B590010CAFD718DF28CC84FB9BBF4EB09310F1441A5FA59A72E1DB70AD49DA55

Function 00B72344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B72357
ScreenToClient.USER32(00C367B0,?), ref: 00B72374
GetAsyncKeyState.USER32(00000001), ref: 00B72399
GetAsyncKeyState.USER32(00000002), ref: 00B723A7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 5442dfe3a3a6b85ccb2e901bac42aa8d4e69f6d9ef4cf6671c822b9ff9e769f2
Instruction ID: 6848fe7f0006171815b283dd7bfa9ee9abbe028679c1a5187cfb0bd52705a1d6
Opcode Fuzzy Hash: 5442dfe3a3a6b85ccb2e901bac42aa8d4e69f6d9ef4cf6671c822b9ff9e769f2
Instruction Fuzzy Hash: 8B416F35508219FFDF159F68C844AE9BBB4FB05320F10839AF83897290CB349D54DB95

Function 00BC6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BC695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00BC69A9
TranslateMessage.USER32(?), ref: 00BC69D2
DispatchMessageW.USER32(?), ref: 00BC69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BC69EB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: bfb6d180ffedb79b5ae28eb0529165503faf5c1fd8e96b757f9e231845c5a167
Instruction ID: 5f6b9bb3062f7c63dd76f016670416aa8d1c1f2ab2f0fd574f6f2dd01cc5821f
Opcode Fuzzy Hash: bfb6d180ffedb79b5ae28eb0529165503faf5c1fd8e96b757f9e231845c5a167
Instruction Fuzzy Hash: C831A371914246BBDB20CF74DC84FBA7BE8EB1A304F1481ADE421D31A1EBB5D885D7A1

Function 00BC8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BC8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00BC8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00BC8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00BC8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00BC8FDA

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7d5bbae20c2399fd20f224471bc78730855870bb0dde7cfc1f9a1c3aa3faf459
Instruction ID: 557808bfa6f5fce2a61ef79d578696366770344b13e67442e78577376754c4fc
Opcode Fuzzy Hash: 7d5bbae20c2399fd20f224471bc78730855870bb0dde7cfc1f9a1c3aa3faf459
Instruction Fuzzy Hash: AE31BC7150021AEBDF14CF68D988BAE7BB6EF44315F10466DF925EB2D0CBB09914DB90

Function 00BCB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00BCB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BCB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BCB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BCB742
_wcsstr.LIBCMT ref: 00BCB74C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 7472cf540f86a3d4332c312cc2090a48125d58ffa81353030cf427fc16816e84
Instruction ID: 65fb2c5bfab1d236b23ebbdb3ca4309bf544863db6309a49ee22baff48fa04e0
Opcode Fuzzy Hash: 7472cf540f86a3d4332c312cc2090a48125d58ffa81353030cf427fc16816e84
Instruction Fuzzy Hash: 8921A132604205BAEB255B799C4AF7F7BE8DF45750F1040BEFC05DA1A1EF619C40D660

Function 00BFB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

GetWindowLongW.USER32(?,000000F0), ref: 00BFB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BFB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BFB489
GetSystemMetrics.USER32(00000004), ref: 00BFB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BE1184,00000000), ref: 00BFB4D0

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 767765bcc3986ab075da278de1fecb4378ccea00280cb6dbe6246db66a1abd34
Instruction ID: f3b12ac64244f5d79f6f40eb079fc649ffecae07f018a3d5937df7083b9088c7
Opcode Fuzzy Hash: 767765bcc3986ab075da278de1fecb4378ccea00280cb6dbe6246db66a1abd34
Instruction Fuzzy Hash: 19215C7191025AAFCB109F38CD44B7A3BA4EF09724F148668EA26D76E1EB309814DB90

Function 00BC97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BC9802

Part of subcall function 00B77D2C: _memmove.LIBCMT ref: 00B77D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BC9834
__itow.LIBCMT ref: 00BC984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BC9874
__itow.LIBCMT ref: 00BC9885

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 691b0fcf41c150171a6fddef80838a2c6432de682eb76954765ebb297b40a8a2
Instruction ID: 2cf8878bdfc19e7d2512d1d254bef25da8793952f5b40cf9aa7296743f1b3dd6
Opcode Fuzzy Hash: 691b0fcf41c150171a6fddef80838a2c6432de682eb76954765ebb297b40a8a2
Instruction Fuzzy Hash: EE219571B00208BBEF109A658C8AFBE7BE9EF4A750F0440B9F905DB291DA708D45D791

Function 00B712F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B7134D
SelectObject.GDI32(?,00000000), ref: 00B7135C
BeginPath.GDI32(?), ref: 00B71373
SelectObject.GDI32(?,00000000), ref: 00B7139C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 0e7ff60a2ec7200c12ae99fcf70185d26c60c61c42c68c9088a9ca5cd9850b0f
Instruction ID: 5f7d9b3e948a3169af3262164f295e75afb6b93a9a70462dfe0fa2a021eb864f
Opcode Fuzzy Hash: 0e7ff60a2ec7200c12ae99fcf70185d26c60c61c42c68c9088a9ca5cd9850b0f
Instruction Fuzzy Hash: 69215970810209FBDB108F2DDC04BAD7BF9EB04321F14C666F828A71E0DB719991DBA6

Function 00BCC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00BCC176
_memcmp.LIBCMT ref: 00BCC194
_memcmp.LIBCMT ref: 00BCC1A7
_memcmp.LIBCMT ref: 00BCC1BF
_memcmp.LIBCMT ref: 00BCC1D7

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e8dae18eb1f54e1e7a2fdd61aa1d096db6c5487a88a0814e29f5fa09165fbe67
Instruction ID: 80a9598d08d5142ac93504c2f86549645c8909a0919e3ce7b8c70d6ba05a9801
Opcode Fuzzy Hash: e8dae18eb1f54e1e7a2fdd61aa1d096db6c5487a88a0814e29f5fa09165fbe67
Instruction Fuzzy Hash: 8701B9B2A041067BE605A6265C86F6B7BDCDB31394F0840B9FE08A6283E760DE11D2F4

Function 00BD4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00BD4D5C
__beginthreadex.LIBCMT ref: 00BD4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00BD4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BD4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BD4DAC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6581e55dba02b585d2eb25acfaf6394dae8f1db8be7051442f628bb5f93c3422
Instruction ID: 663e57c8d5618f92ca2534dbd663ea73362f701c9f042dcab2eb33b35a817bf1
Opcode Fuzzy Hash: 6581e55dba02b585d2eb25acfaf6394dae8f1db8be7051442f628bb5f93c3422
Instruction Fuzzy Hash: BB11A576904245BBC7119BB89C48BAFBBEDEB45320F1442A6F914D3351DB758D44C7A0

Function 00BC874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BC8766
GetLastError.KERNEL32(?,00BC822A,?,?,?), ref: 00BC8770
GetProcessHeap.KERNEL32(00000008,?,?,00BC822A,?,?,?), ref: 00BC877F
HeapAlloc.KERNEL32(00000000,?,00BC822A,?,?,?), ref: 00BC8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BC879D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 36ee100ee2dddd06524ce7677b84fc971f1de8c8c0a92678f1f3e86f55720f1c
Instruction ID: e6b985cf511c1bb2257addbd5c25d48e681e86dbb7ce483759b1e2106989dc37
Opcode Fuzzy Hash: 36ee100ee2dddd06524ce7677b84fc971f1de8c8c0a92678f1f3e86f55720f1c
Instruction Fuzzy Hash: 3301FB71601205FFDB204FA6DC88DBB7BADEF8A795720057AF949D3260EE319D10CA60

Function 00BD54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BD5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BD5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BD5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BD5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BD555E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: fc9ca234e3b20d7ae1564cf624409789d37cbaaa69654333aa3c024c95c2d3f4
Instruction ID: 794a4f37c2c5b22ed6aba67c1938f65bad370383eab2f7be3a4eba59b735c269
Opcode Fuzzy Hash: fc9ca234e3b20d7ae1564cf624409789d37cbaaa69654333aa3c024c95c2d3f4
Instruction Fuzzy Hash: 8C01F736D05A1ADBCF109FA8E888AEDFBB9BF19715F004096E901B3240EB305654C7A1

Function 00BC7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?,?,00BC799D), ref: 00BC766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?), ref: 00BC768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?), ref: 00BC7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?), ref: 00BC76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BC758C,80070057,?,?), ref: 00BC76B4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ca95d9eec84e51d711abfcc84b896715635ee96e61a98825c61efbe1f98e6922
Instruction ID: 0b3a186410a90fbdfac18681063de416d6af386739da05014fc7e30a0ca87345
Opcode Fuzzy Hash: ca95d9eec84e51d711abfcc84b896715635ee96e61a98825c61efbe1f98e6922
Instruction Fuzzy Hash: 6C0148B2601605ABDB109F68DC48FBA7BE9EF497A1F144078B904D3221EB31DE509AA0

Function 00BC85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BC8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BC8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BC8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BC8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BC863E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f1cc89399233b82eb2438e19e5d4ed07a18ed84a3f827b422af32ee3e5e4d410
Instruction ID: 663d48ede22c38d201ecb1dde1d3ff62fda814f55c3bfca0f349edbd08a19030
Opcode Fuzzy Hash: f1cc89399233b82eb2438e19e5d4ed07a18ed84a3f827b422af32ee3e5e4d410
Instruction Fuzzy Hash: 73F03731201205BFEB104FA5DC89E7B3BACEF8A754B000479FA49D7250CE619C41DA60

Function 00BC8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC869F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0bd95de2b17f0d23fc735aa225373f505947ee5addd397b076d944c324fb4622
Instruction ID: 02e720cc28cb55e52fdb250edd23cdf97e124542cac555eb480268813e1ae678
Opcode Fuzzy Hash: 0bd95de2b17f0d23fc735aa225373f505947ee5addd397b076d944c324fb4622
Instruction Fuzzy Hash: 72F04971300205AFEB211FA5EC88FBB3BACEF89B58B100079FA49D7250CF619941DA60

Function 00BCC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00BCC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00BCC6D1
MessageBeep.USER32(00000000), ref: 00BCC6E9
KillTimer.USER32(?,0000040A), ref: 00BCC705
EndDialog.USER32(?,00000001), ref: 00BCC71F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9016f9724181f44fccc3568de7365bc720f202fb24b391a9eb718bbfc55e8b6d
Instruction ID: 2f6c281f2ba336f5fd957c6a06abf3c434ecc1aaa4d01c0e2d5d0a180d2a07a8
Opcode Fuzzy Hash: 9016f9724181f44fccc3568de7365bc720f202fb24b391a9eb718bbfc55e8b6d
Instruction Fuzzy Hash: 0B012C30500705AAEB215B24DD8EFB67BA8FF10B05F0006AEE546E24E19FA0A954CA80

Function 00B713B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B713BF
StrokeAndFillPath.GDI32(?,?,00BABAD8,00000000,?), ref: 00B713DB
SelectObject.GDI32(?,00000000), ref: 00B713EE
DeleteObject.GDI32 ref: 00B71401
StrokePath.GDI32(?), ref: 00B7141C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a2185c351786b1af272c27a30b7239a0061921d130965541f5c1feda245d7570
Instruction ID: 26a1905661b452c3bf2c4d462b7f3fe596833a30f48287d2792923710d5d122a
Opcode Fuzzy Hash: a2185c351786b1af272c27a30b7239a0061921d130965541f5c1feda245d7570
Instruction Fuzzy Hash: DAF0C430014209FBDB119F2EEC4DB683BE5EB05326F04C665E569861F1CB318995DF66

Function 00BDC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BDC69D
CoCreateInstance.OLE32(00C02D6C,00000000,00000001,00C02BDC,?), ref: 00BDC6B5

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

CoUninitialize.OLE32 ref: 00BDC922

Strings

.lnk, xrefs: 00BDC631, 00BDC659, 00BDC663

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: c97dab588314b46f287deec25102e3662bc9ca3dfd01b22943b778e0c9616523
Instruction ID: 34059823aa98ad221813c0c28d58ee15a974c233ad586abcbe5d463cca93d2ad
Opcode Fuzzy Hash: c97dab588314b46f287deec25102e3662bc9ca3dfd01b22943b778e0c9616523
Instruction Fuzzy Hash: F5A11F71104205AFD700EF54C891EABB7F8FF95704F0089ADF16A971A1EB71EA49CB52

Function 00B82E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00B90FF6: std::exception::exception.LIBCMT ref: 00B9102C
Part of subcall function 00B90FF6: __CxxThrowException@8.LIBCMT ref: 00B91041

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00B77BB1: _memmove.LIBCMT ref: 00B77C0B

__swprintf.LIBCMT ref: 00B8302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B82EC6

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 4d4588997a0f690641e1704f15257a1a661914dcca741236f1b714784732f479
Instruction ID: 4c64f0559b98c7d7f389dafdcaf327e1d5623234070c24733ce88158c48ce2f5
Opcode Fuzzy Hash: 4d4588997a0f690641e1704f15257a1a661914dcca741236f1b714784732f479
Instruction Fuzzy Hash: D1917C711083019FCB28FF24D895D7EB7E4EF85B50F0049ADF4969B2A1DA60EE44CB52

Function 00BDBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B748AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B748A1,?,?,00B737C0,?), ref: 00B748CE

CoInitialize.OLE32(00000000), ref: 00BDBC26
CoCreateInstance.OLE32(00C02D6C,00000000,00000001,00C02BDC,?), ref: 00BDBC3F
CoUninitialize.OLE32 ref: 00BDBC5C

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

Strings

.lnk, xrefs: 00BDBC08, 00BDBC16

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: e94f989921eb15167f7b0574b5586aef300041ed943e8cb862799c59efd446a9
Instruction ID: 59b8640da312a8340b7bb0375fbc69de13698b0eb06389c71971f4799152914c
Opcode Fuzzy Hash: e94f989921eb15167f7b0574b5586aef300041ed943e8cb862799c59efd446a9
Instruction Fuzzy Hash: ECA133756043019FCB10DF14C884D6ABBE5FF88324F1589A9F8AA9B3A1DB31ED45CB91

Function 00B9524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B952DD

Part of subcall function 00BA0340: __87except.LIBCMT ref: 00BA037B

Strings

pow, xrefs: 00B952B5, 00B952D2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4ff1d03ad5b1f3987fd012a4e0ea20c2eebf77c8a1a66d731fb678830282c534
Instruction ID: fa9e9a9a544eabf14ef1e67f85b3725fd0be73dbe7aa3eb3626a5a162f388b9e
Opcode Fuzzy Hash: 4ff1d03ad5b1f3987fd012a4e0ea20c2eebf77c8a1a66d731fb678830282c534
Instruction Fuzzy Hash: E8514A21E6D60287DF267724C95136E3BE4EB06750F2089F8E496823E5EF748CD4DB4A

Function 00B9023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00B90277
#, xrefs: 00B90280

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 10fe420ead914d0d782b104a1af740775db6e5a7624bec6aa6f5209caefdcd94
Instruction ID: 3fa8464542932dd5f5c787cffd5d3bb16d7a3420962c573d0ed51e5ea65771a4
Opcode Fuzzy Hash: 10fe420ead914d0d782b104a1af740775db6e5a7624bec6aa6f5209caefdcd94
Instruction Fuzzy Hash: C951E3755047469FDF25AF28C488FF97BE4EF19310F5440E9E8929B2A0DB34AD82C761

Function 00B862F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B863A8
_memmove.LIBCMT ref: 00B86446
_memset.LIBCMT ref: 00B8646A

Strings

ERCP, xrefs: 00B86313

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 557995f2d695a9c9cf003645d30bc01f585dd1a513ed8b435983a781843182b6
Instruction ID: 0567d8e9f8da06b4ba937e4e7a9b046ddc07fce0ef448e8f7ac6b242bbad8be1
Opcode Fuzzy Hash: 557995f2d695a9c9cf003645d30bc01f585dd1a513ed8b435983a781843182b6
Instruction Fuzzy Hash: B651D371900309DFCB24DF64C881BAABBF4EF04710F2485AEE54ADB251E771E980CB40

Function 00BF7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BFF910,00000000,?,?,?,?), ref: 00BF7C4E
GetWindowLongW.USER32 ref: 00BF7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BF7C7B

Strings

SysTreeView32, xrefs: 00BF7C20

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 0126c02180d8b8bd2939ff1e8a08feffe80c87449692315f23eff308a2246582
Instruction ID: dc590749399a12726b36a3fc6c5e6735953a9a799b6170d011ad927e6ed407aa
Opcode Fuzzy Hash: 0126c02180d8b8bd2939ff1e8a08feffe80c87449692315f23eff308a2246582
Instruction Fuzzy Hash: 8531B03124420AABDB118F38DC41BFA77E9EF45324F2487A5FA79932E0CB31E8549B50

Function 00BF7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BF76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BF76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00BF7708

Strings

SysMonthCal32, xrefs: 00BF769B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bec0a52fca8d551f216bd7c7f30e4b033271f540cc82a69da41894a904c87c8d
Instruction ID: 701f3fc39088b69b4b01c7fb5d93633d0f96cb51d05a7afb0da0baf8fb130fcd
Opcode Fuzzy Hash: bec0a52fca8d551f216bd7c7f30e4b033271f540cc82a69da41894a904c87c8d
Instruction Fuzzy Hash: D321B132550219BBDF118E64CC46FFA3BA9EF48714F110294FE15AB1D0DAB1AC54DBA0

Function 00BF6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BF6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BF6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BF6FDF

Strings

Listbox, xrefs: 00BF6F77

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0f28bbb10877532160435fef77cc4e255572f360a7b507218bcdfe4b35314b0b
Instruction ID: 72748bf31ca786cf5d7cd7d522edfa9e9608702bca5a05c70f0cb9de5be60d8f
Opcode Fuzzy Hash: 0f28bbb10877532160435fef77cc4e255572f360a7b507218bcdfe4b35314b0b
Instruction Fuzzy Hash: 1921813261011CBFDF119F54EC85FBB3BAAEF89764F118164FA149B190CA71AC55CBA0

Function 00BF797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BF79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BF79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BF7A03

Strings

msctls_trackbar32, xrefs: 00BF79B8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f9d41186a7404a4f72ba804862dd4813a207c344fbf1f41fc613fedc3f132cc8
Instruction ID: 8183b1b8a3e52c03cd13117ccfb61202d26e7e28067bffcbb2aee3b71c0d9979
Opcode Fuzzy Hash: f9d41186a7404a4f72ba804862dd4813a207c344fbf1f41fc613fedc3f132cc8
Instruction Fuzzy Hash: 8E11E73229420CBADF109F74CC05FAB77A9EF89764F024569F741A7090D6719811CB60

Function 00B74C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B74C2E), ref: 00B74CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B74CB5

Strings

kernel32.dll, xrefs: 00B74C9E
GetNativeSystemInfo, xrefs: 00B74CAF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e6ac17f98f142b9916b2ba74bcce6320c1a18cebafdd5823766afa0610df995d
Instruction ID: 333a2712618a39623751f705b5d94698f331568d3fa0e35e3994f05d60b5e5ea
Opcode Fuzzy Hash: e6ac17f98f142b9916b2ba74bcce6320c1a18cebafdd5823766afa0610df995d
Instruction Fuzzy Hash: B7D01730510727CFD7209F35DA58636B6E5EF05792B11C8BA989AE7260EBB0D8C0CA50

Function 00B74D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B74CE1,?), ref: 00B74DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B74DB4

Strings

kernel32.dll, xrefs: 00B74D9D
Wow64RevertWow64FsRedirection, xrefs: 00B74DAE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 283c12e9d605e60d3b72fc9565ce8ed5483bb82a5164f5c15cef01bf26dc3230
Instruction ID: ea49d1eb838e5d9d5b6862591b58b962f040a13f2daf004c40f50fdab32268c2
Opcode Fuzzy Hash: 283c12e9d605e60d3b72fc9565ce8ed5483bb82a5164f5c15cef01bf26dc3230
Instruction Fuzzy Hash: CAD01731550723CFD7309F31D858B66B6E4EF05356B11C87AD8EAE7660EBB0D880CA50

Function 00B74D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B74D2E,?,00B74F4F,?,00C362F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B74D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B74D81

Strings

kernel32.dll, xrefs: 00B74D6A
Wow64DisableWow64FsRedirection, xrefs: 00B74D7B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9316f4dcfb17067e8a8b180207085a933b760ccd8f8653bcb7a4988fe279416f
Instruction ID: 8633fa55409ffc9e48c818ff8ba3b12eba204f17fc479a9ee6779540080ab0cf
Opcode Fuzzy Hash: 9316f4dcfb17067e8a8b180207085a933b760ccd8f8653bcb7a4988fe279416f
Instruction Fuzzy Hash: 94D01730510723CFD7309F35D848736B6E8EF15352B11C97A94DAE7660EB70D880CA50

Function 00BF1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00BF12C1), ref: 00BF1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BF1092

Strings

RegDeleteKeyExW, xrefs: 00BF108C
advapi32.dll, xrefs: 00BF107B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 646512400e07549ead4f12a940b41cf63154b334c46194b15563c85b3542efdf
Instruction ID: bac1618c31b010aa21944e8ecaa7cbcba5bd87305b4e818632e01c94a8f78f41
Opcode Fuzzy Hash: 646512400e07549ead4f12a940b41cf63154b334c46194b15563c85b3542efdf
Instruction Fuzzy Hash: CED01730510727CFD7309F39E818A3AB6E4EF05361B118C7AA48AEB650EB70D8C0CA50

Function 00BE93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00BE9009,?,00BFF910), ref: 00BE9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BE9415

Strings

kernel32.dll, xrefs: 00BE93FE
GetModuleHandleExW, xrefs: 00BE940F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: baaa4e981e5a7de1c87c571a280039bbd1817b851bbdc18ff94345499e65e24b
Instruction ID: d3535339ee367313c3a1675cd2a46965cda7954dc17b384cc9ef1640ba933cd2
Opcode Fuzzy Hash: baaa4e981e5a7de1c87c571a280039bbd1817b851bbdc18ff94345499e65e24b
Instruction Fuzzy Hash: B9D01734514727CFD7309F32D949626B6E5EF05351B11C87AA486E7AA0EB70C884CA50

Function 00BB1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BB1B42
__swprintf.LIBCMT ref: 00BB1B73

Strings

%.3d, xrefs: 00BB1B4D
WIN_XPe, xrefs: 00BB1BB2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 5e93ce20fe494210fa1230b4899d1fe882abc76ccd5f989ba565b94d6930e282
Instruction ID: 5ac62b8de79c765617603d9a056eb37663570878c1a608b9e18b29652c84f86f
Opcode Fuzzy Hash: 5e93ce20fe494210fa1230b4899d1fe882abc76ccd5f989ba565b94d6930e282
Instruction Fuzzy Hash: 24D01271804118EBCB289A949CD4CFA77FCAB04301F9449E2B50692400F6B49B85DB25

Function 00BC76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69dc734a66c64001a12d3ef1eea0551d0f686788e360a7633697a1e4f5f0ffb
Instruction ID: 2a20daf278d382588b4ebaaa9544c148e01391b7b94ecea893afa0479f8bf04b
Opcode Fuzzy Hash: f69dc734a66c64001a12d3ef1eea0551d0f686788e360a7633697a1e4f5f0ffb
Instruction Fuzzy Hash: E1C12875A4421AAFCB14CF95C884EAEBBF5FF48714B11859DE806EB251DB30ED81CB90

Function 00BEE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00BEE3D2
CharLowerBuffW.USER32(?,?), ref: 00BEE415

Part of subcall function 00BEDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BEDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00BEE615
_memmove.LIBCMT ref: 00BEE628

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 24c618b2f32ad6f59dcee20456adc312aec2f45da82a07da83d6b3c2fb347cfc
Instruction ID: f5a70a3202c825c00372a1b1139c6f53b5f7e08b078f9b52af28e3c88e34f060
Opcode Fuzzy Hash: 24c618b2f32ad6f59dcee20456adc312aec2f45da82a07da83d6b3c2fb347cfc
Instruction Fuzzy Hash: 19C16A716083419FC714DF29C48096ABBF4FF88714F1489AEF8AA9B351D771EA45CB82

Function 00BE83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00BE83D8
CoUninitialize.OLE32 ref: 00BE83E3

Part of subcall function 00BCDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BCDAC5

VariantInit.OLEAUT32(?), ref: 00BE83EE
VariantClear.OLEAUT32(?), ref: 00BE86BF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: bf1211acb43b088af8a7fc9572c1fbb961dfca8e1513678f0cf8e21c5f6622a2
Instruction ID: e577c646c188cf6c8885b9a2d3e15ac84b878700e67fb6bed7fd4ff9a50bd2c4
Opcode Fuzzy Hash: bf1211acb43b088af8a7fc9572c1fbb961dfca8e1513678f0cf8e21c5f6622a2
Instruction Fuzzy Hash: 4EA11975204B419FDB10DF25C485B2AB7E5FF88324F148599FAAA9B3A1CB30ED04CB56

Function 00BC7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C02C7C,?), ref: 00BC7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C02C7C,?), ref: 00BC7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00BFFB80,000000FF,?,00000000,00000800,00000000,?,00C02C7C,?), ref: 00BC7C6F
_memcmp.LIBCMT ref: 00BC7C90

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8953b4f8428d07a0213262377d69a91da4e33e9bd1c9cb9c4cf230003da215f6
Instruction ID: 67d6df072477c1eedf7c8eb2a321aeb827c03b45ac71e45478af85117be0e2eb
Opcode Fuzzy Hash: 8953b4f8428d07a0213262377d69a91da4e33e9bd1c9cb9c4cf230003da215f6
Instruction Fuzzy Hash: 7481E975A0010AEFCB04DF94C994EEEB7F9FF89315F208598E515AB250DB71AE06CB60

Function 00BC6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00BC6E04
SysAllocString.OLEAUT32(00000000), ref: 00BC6EAD
VariantCopy.OLEAUT32 ref: 00BC6EDC
VariantClear.OLEAUT32(?), ref: 00BC6F03

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 4104b613bdc921907975acb9d428f8835a06054795c9645b5b4f75194465eea6
Instruction ID: 6c1a85c35d1517d05ea3a5657a83aefa43e681cbffd962cb3b09f1cd8a8b1be9
Opcode Fuzzy Hash: 4104b613bdc921907975acb9d428f8835a06054795c9645b5b4f75194465eea6
Instruction Fuzzy Hash: 875193316583029BDF24AF65D895F3AB3E5EF48310F2088AFE55ACB291DE709840DF15

Function 00BD97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00B75045: _fseek.LIBCMT ref: 00B7505D

Part of subcall function 00BD99BE: _wcscmp.LIBCMT ref: 00BD9AAE
Part of subcall function 00BD99BE: _wcscmp.LIBCMT ref: 00BD9AC1

_free.LIBCMT ref: 00BD992C
_free.LIBCMT ref: 00BD9933
_free.LIBCMT ref: 00BD999E

Part of subcall function 00B92F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00B99C64), ref: 00B92FA9
Part of subcall function 00B92F95: GetLastError.KERNEL32(00000000,?,00B99C64), ref: 00B92FBB

_free.LIBCMT ref: 00BD99A6

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: 674cc27c5a535446661c2a649f571426967f6cd223623d968b7e1b4c869f9049
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: C45129B1904218AFDF249F64DC81A9EBBB9EF48310F1044EEF619A7341EB755E808F59

Function 00BF9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0169DA28,?), ref: 00BF9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00BF9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BF9B72

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 32e93c4afb59a5dd44e6de1407b7551209e400bd9284aafa17a00852f4591188
Instruction ID: a6944037e83fb85309c88272aaced60f18c8b310e72988655cf8253b1dec1ae3
Opcode Fuzzy Hash: 32e93c4afb59a5dd44e6de1407b7551209e400bd9284aafa17a00852f4591188
Instruction Fuzzy Hash: D9511D34A00209AFCF24DF68D881ABE7BF5FF55320F148199FA159B2A1D730AD45CB90

Function 00BE6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00BE6CE4
WSAGetLastError.WSOCK32(00000000), ref: 00BE6CF4

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BE6D58
WSAGetLastError.WSOCK32(00000000), ref: 00BE6D64

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: f5ef6f92b36fd3a66c18dc3926ebcb0632ad2a0c809a1ecc98fd3d7cd5732245
Instruction ID: 04d5f20c0b3782da3b53246727b95bab79c9f73611db3aaea83989db3431f3ed
Opcode Fuzzy Hash: f5ef6f92b36fd3a66c18dc3926ebcb0632ad2a0c809a1ecc98fd3d7cd5732245
Instruction Fuzzy Hash: 56416F75740200AFEB20AF24DC86F3A77E5DF44B60F44C4A8FA699B2D2DB719D008B91

Function 00BE672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00BFF910), ref: 00BE67BA
_strlen.LIBCMT ref: 00BE67EC

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: c706c0c29ba9a8bd8d3c751914380428a265a7e9c8c24a340d69ef85ff52a2eb
Instruction ID: 6fde94ac2e141d40d3580a7b7db44111acc64d9d4da04d5ce924b04f7e5c1bda
Opcode Fuzzy Hash: c706c0c29ba9a8bd8d3c751914380428a265a7e9c8c24a340d69ef85ff52a2eb
Instruction Fuzzy Hash: 7B419531A00105ABCB14EB65DCD5FBEB7E9EF64354F1481E9F92A97292DB70AD00CB90

Function 00BDBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BDBB09
GetLastError.KERNEL32(?,00000000), ref: 00BDBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BDBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BDBB80

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 39a87ead0495cbbe7c36d0acc20566ad9a87c9906eeec4f631f53fdabcc0448e
Instruction ID: 12ced856896ac604215825c4eab75b592c467f80eb12971cf683c141249e7970
Opcode Fuzzy Hash: 39a87ead0495cbbe7c36d0acc20566ad9a87c9906eeec4f631f53fdabcc0448e
Instruction Fuzzy Hash: D4410239200611DFCB11EF15C584A6DBBE1EF89320B09C4D9E95A9B362CB34FD01CB91

Function 00BF8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BF8B4D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 2725776cb9f98d4582c315f787a711c5e4a8f991d2438d986af28074e19be519
Instruction ID: 7873ddb543f941e96d414d7fc8d3e851897ece64b8c9d5b46861375fc47c7b3b
Opcode Fuzzy Hash: 2725776cb9f98d4582c315f787a711c5e4a8f991d2438d986af28074e19be519
Instruction Fuzzy Hash: 4031A1B460420CBEEF209B18CC99FB937E5EB05310F248592FB51D72A2CE32A948D751

Function 00BFADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00BFAE1A
GetWindowRect.USER32(?,?), ref: 00BFAE90
PtInRect.USER32(?,?,00BFC304), ref: 00BFAEA0
MessageBeep.USER32(00000000), ref: 00BFAF11

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 26ac42a7229a25e796345a7fefcfeea14ff2380e9c5e97a3a6d7e3a1a6951524
Instruction ID: 4ca23b1dabe35b50b37f430a8865c2929261765ae3954d29eccb54c4c1321e0a
Opcode Fuzzy Hash: 26ac42a7229a25e796345a7fefcfeea14ff2380e9c5e97a3a6d7e3a1a6951524
Instruction Fuzzy Hash: 10418DB4600119EFCB19CF58C884B79BBF5FF48350F2481A9E61CDB251D730A906CB92

Function 00BD0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00BD1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00BD1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00BD10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00BD110B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ca11974c79c2c1dce9e13dc4a9df4be46da62b534cf6204d2f8f07d0b94e5535
Instruction ID: 5d6ad16fed52ccd7e463f90032a401d903ffda02f126d62a62f9e0f351ba976d
Opcode Fuzzy Hash: ca11974c79c2c1dce9e13dc4a9df4be46da62b534cf6204d2f8f07d0b94e5535
Instruction Fuzzy Hash: 2A312870A40688BEFB30AA6D8C05BFAFBEAEB44310F04469BE580523D1E77489C19755

Function 00BD1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00BD1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00BD1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00BD11F1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00BD1243

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 63ca6f35d33fe132502c8b46971ce3a33cf3b4b10709a7489fd829060e488f69
Instruction ID: e68bd47dd519a8d338090d6ab2b23ec3528371bb335226b405512636e046d9b1
Opcode Fuzzy Hash: 63ca6f35d33fe132502c8b46971ce3a33cf3b4b10709a7489fd829060e488f69
Instruction Fuzzy Hash: 05310730A406187AEF209A6D8804BFAFBFAEB59310F044B9BE590A23D1E3358D95D751

Function 00BA6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BA644B
__isleadbyte_l.LIBCMT ref: 00BA6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BA64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BA64DD

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 60b0ceef9aeddfb8cca7d1cbe2f326cc12b9f85f7ec23a69b366cab11bc6e21d
Instruction ID: 439bc008027ecf380fb3023ecadccf1eef4d6a85ffde43fbde8496ce30a19277
Opcode Fuzzy Hash: 60b0ceef9aeddfb8cca7d1cbe2f326cc12b9f85f7ec23a69b366cab11bc6e21d
Instruction Fuzzy Hash: 9931EFB1608246AFDF218F74C884BBA7BE5FF4A710F1940A9E854872A0EF31D950DB90

Function 00BF5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BF5189

Part of subcall function 00BD387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BD3897
Part of subcall function 00BD387D: GetCurrentThreadId.KERNEL32 ref: 00BD389E
Part of subcall function 00BD387D: AttachThreadInput.USER32(00000000,?,00BD52A7), ref: 00BD38A5

GetCaretPos.USER32(?), ref: 00BF519A
ClientToScreen.USER32(00000000,?), ref: 00BF51D5
GetForegroundWindow.USER32 ref: 00BF51DB

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 345bba403a942ac5bb9ffd440d8f9c976e54e8cda718c54621a1ae44ee68effd
Instruction ID: e6a52b97b7e66077c1a25ca87668887b6f0181fae2d4ca93749787ade9b9b315
Opcode Fuzzy Hash: 345bba403a942ac5bb9ffd440d8f9c976e54e8cda718c54621a1ae44ee68effd
Instruction Fuzzy Hash: 3931FE71900109AFDB10EFA5C885DEFB7F9EF98300F1080AAE515E7251EA759E45CBA1

Function 00BFC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

GetCursorPos.USER32(?), ref: 00BFC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BABBFB,?,?,?,?,?), ref: 00BFC7D7
GetCursorPos.USER32(?), ref: 00BFC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BABBFB,?,?,?), ref: 00BFC85E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9beed83f9fd8aeb0822d2c2bdd5c1f46c7cc4c50cb35be8b5ed85bc890805e44
Instruction ID: 357f39915c938e33fe907588845eca58adc806fb5f130e227e34b27bd4beadfb
Opcode Fuzzy Hash: 9beed83f9fd8aeb0822d2c2bdd5c1f46c7cc4c50cb35be8b5ed85bc890805e44
Instruction Fuzzy Hash: E7315C3560001CAFCB158F58C898EBA7FE6EB49350F0440A9FA058B2A1C7329D94DBA0

Function 00BC8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BC8669
Part of subcall function 00BC8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BC8673
Part of subcall function 00BC8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC8682
Part of subcall function 00BC8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC8689
Part of subcall function 00BC8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BC869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BC8BEB
_memcmp.LIBCMT ref: 00BC8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BC8C44
HeapFree.KERNEL32(00000000), ref: 00BC8C4B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d447ee0ade4bf565a1d52a17edb219af14daaf0456cfb7f4bc7b9295aa31c017
Instruction ID: 4c58d3d631e5d0ffe792e1f3b02834a72b29c27409f75514b6ebcf82f2682973
Opcode Fuzzy Hash: d447ee0ade4bf565a1d52a17edb219af14daaf0456cfb7f4bc7b9295aa31c017
Instruction Fuzzy Hash: 3F216972E01209ABDB10DFA4C945FEEB7F8EF44355F1540A9E554A7240DB31AA06DB60

Function 00B90BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00B90BF2

Part of subcall function 00B75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BD7B20,?,?,00000000), ref: 00B75B8C
Part of subcall function 00B75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BD7B20,?,?,00000000,?,?), ref: 00B75BB0

_fprintf.LIBCMT ref: 00B90C29
OutputDebugStringW.KERNEL32(?), ref: 00BC6331

Part of subcall function 00B94CDA: _flsall.LIBCMT ref: 00B94CF3

__setmode.LIBCMT ref: 00B90C5E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 81764ab19d33b6c08eb1fa4af28826d939265d2d2c94884e368e07f48299168f
Instruction ID: 8945eeadf42e9674e1a830753449f260cead3c3b731940d0b0fb7f8ad84f2a37
Opcode Fuzzy Hash: 81764ab19d33b6c08eb1fa4af28826d939265d2d2c94884e368e07f48299168f
Instruction Fuzzy Hash: A81124329042087EDF15B7B49C82EBEBBE9DF45320F1481FAF20857282EF615D4283A5

Function 00BE1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BE1A97

Part of subcall function 00BE1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BE1B40
Part of subcall function 00BE1B21: InternetCloseHandle.WININET(00000000), ref: 00BE1BDD

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b860f6404e7e4f6e96e17a1290c157754738e2eb14f4bcd9e84b3229bd57f487
Instruction ID: 57c20695a03ed245cd3eda38057da8817411d2d5c6ad9fb7476f288d261297fb
Opcode Fuzzy Hash: b860f6404e7e4f6e96e17a1290c157754738e2eb14f4bcd9e84b3229bd57f487
Instruction Fuzzy Hash: F6218035200641BFDB119F768C41FBAB7EDFF44701F20455AFA1297650EB71A811D7A0

Function 00BCE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00BCF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00BCE1C4,?,?,?,00BCEFB7,00000000,000000EF,00000119,?,?), ref: 00BCF5BC
Part of subcall function 00BCF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00BCF5E2
Part of subcall function 00BCF5AD: lstrcmpiW.KERNEL32(00000000,?,00BCE1C4,?,?,?,00BCEFB7,00000000,000000EF,00000119,?,?), ref: 00BCF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00BCEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00BCE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00BCE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00BCEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00BCE237

Strings

cdecl, xrefs: 00BCE22E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c811d8603566f559eb455455a14f715156d68cf4fb3c34e76b6c5348c1d573b3
Instruction ID: 7d9dcf9e96773de9dcec51bfdb7b9499e36899b372a82823ba96657f3a714110
Opcode Fuzzy Hash: c811d8603566f559eb455455a14f715156d68cf4fb3c34e76b6c5348c1d573b3
Instruction Fuzzy Hash: CA11BE36200302EFCB25AF64D845F7A77E9FF84350B4040AAF916CB260EB71D950D7A0

Function 00BA5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BA5351

Part of subcall function 00B9594C: __FF_MSGBANNER.LIBCMT ref: 00B95963
Part of subcall function 00B9594C: __NMSG_WRITE.LIBCMT ref: 00B9596A
Part of subcall function 00B9594C: RtlAllocateHeap.NTDLL(01680000,00000000,00000001,00000000,?,?,?,00B91013,?), ref: 00B9598F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2ec29b692438f425415ccb7d4ff6f92820c4f0436116145b77a8307b54f41d35
Instruction ID: 0510ff8a3e69e2c94091d77e20d15d75b35aa2b5d5f0ae604724be9a10c857ba
Opcode Fuzzy Hash: 2ec29b692438f425415ccb7d4ff6f92820c4f0436116145b77a8307b54f41d35
Instruction Fuzzy Hash: 4B11E772508A15AFCF312F70AC4576E37D8AF563A0B1004F9F90697191DE758B408758

Function 00B74531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B74560

Part of subcall function 00B7410D: _memset.LIBCMT ref: 00B7418D
Part of subcall function 00B7410D: _wcscpy.LIBCMT ref: 00B741E1
Part of subcall function 00B7410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B741F1

KillTimer.USER32(?,00000001,?,?), ref: 00B745B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B745C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BAD6CE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f4e384579ce949936aebf173340de01de9624c0187d8a8fdb7916b432d507f0e
Instruction ID: 0a34782ada22df802bc9037af4cc2fe5f6f455e9b769cef9e858a0ff771d1d65
Opcode Fuzzy Hash: f4e384579ce949936aebf173340de01de9624c0187d8a8fdb7916b432d507f0e
Instruction Fuzzy Hash: D121C570908784AFEB328B249885BFBBBECDF12305F0440DDE69E57281C7B45A84DB51

Function 00BE667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BD7B20,?,?,00000000), ref: 00B75B8C
Part of subcall function 00B75B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BD7B20,?,?,00000000,?,?), ref: 00B75BB0

gethostbyname.WSOCK32(?,?,?), ref: 00BE66AC
WSAGetLastError.WSOCK32(00000000), ref: 00BE66B7
_memmove.LIBCMT ref: 00BE66E4
inet_ntoa.WSOCK32(?), ref: 00BE66EF

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 26c29cf3eb9fa81e6fcf0c58363138adf9da3a0f67e34276a0c8995be5e1f01c
Instruction ID: ad493ec5db93bfdb597cf63e48abb940e728bc14fea8eaff16d1f3f1d371413a
Opcode Fuzzy Hash: 26c29cf3eb9fa81e6fcf0c58363138adf9da3a0f67e34276a0c8995be5e1f01c
Instruction Fuzzy Hash: 27115B35900509AFCB00EBA4DD86DFEB7F8EF14310B1480A5F51AA7261DF70AE04DB61

Function 00BC9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00BC9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BC9086

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9d9afc8160df003b9f83f55d21bf439077725f3c2199c2c0084096531869799d
Instruction ID: f267e1d25a92f1cfbbebbf1de74bdfe5075c98b2b83c77e0d44a44c326e5a612
Opcode Fuzzy Hash: 9d9afc8160df003b9f83f55d21bf439077725f3c2199c2c0084096531869799d
Instruction Fuzzy Hash: CE111C79901218FFEB11DFA5C985FADBBB4FB48710F204095E904B7250DA716E50DB94

Function 00B71290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00B72612: GetWindowLongW.USER32(?,000000EB), ref: 00B72623

DefDlgProcW.USER32(?,00000020,?), ref: 00B712D8
GetClientRect.USER32(?,?), ref: 00BAB84B
GetCursorPos.USER32(?), ref: 00BAB855
ScreenToClient.USER32(?,?), ref: 00BAB860

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0296ff1efe5ca210a44dfc8feaccfbbca2c7d79ed0020276ff35eb4881ae7c15
Instruction ID: 7945470e3fc994101f0ee4c75d86cbfb2b88569d7a1364bdcfb85e8e7e178995
Opcode Fuzzy Hash: 0296ff1efe5ca210a44dfc8feaccfbbca2c7d79ed0020276ff35eb4881ae7c15
Instruction Fuzzy Hash: 9511193550001ABFCB04DF98D8859BE77F8EB05300F008895E925E7251CB30AA55CBB5

Function 00BD1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BD01FD,?,00BD1250,?,00008000), ref: 00BD166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00BD01FD,?,00BD1250,?,00008000), ref: 00BD1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BD01FD,?,00BD1250,?,00008000), ref: 00BD169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00BD01FD,?,00BD1250,?,00008000), ref: 00BD16D1

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f0804125687887d7d6a9dd1dca051fce669f27ca3a93c6b5ab3cb49dd0c4985e
Instruction ID: 54a227a01a88acdfd743fa73f8c474cf754a1f7654c942abd0b79439fcd08cba
Opcode Fuzzy Hash: f0804125687887d7d6a9dd1dca051fce669f27ca3a93c6b5ab3cb49dd0c4985e
Instruction Fuzzy Hash: DA111831C00519EBCF009FA9D988AFEFBB8FF09751F054496EA44B7240DB309660DB96

Function 00BA7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00BA722B

Part of subcall function 00BA7912: __fltout2.LIBCMT ref: 00BA793B

__cftog_l.LIBCMT ref: 00BA7251
__cftoe_l.LIBCMT ref: 00BA7283

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: e23893bf0b8a5a57cadab058f5ff61ac5728399edc72ac6c059db295a29bd20f
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: C7017E3208C24ABBCF125E84CC419EE3FA6BF1A340F088595FA1858031DA36C9B1AB81

Function 00BFB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00BFB59E
ScreenToClient.USER32(?,?), ref: 00BFB5B6
ScreenToClient.USER32(?,?), ref: 00BFB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BFB5F5

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 87c081919d5bfdb5cec7a1937e22fd9c833ea2fa3e75808d15a7198b3634e117
Instruction ID: 6387ad5965fee5509a59aeb8e843b40c5c85fb4f6d3b2aec3a41ec4e4b39c510
Opcode Fuzzy Hash: 87c081919d5bfdb5cec7a1937e22fd9c833ea2fa3e75808d15a7198b3634e117
Instruction Fuzzy Hash: 441123B9D0020AAFDB41CF99C4849AEBBB5FF18310F104166E914E3220DB35AA55CB50

Function 00BFB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BFB8FE
_memset.LIBCMT ref: 00BFB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C37F20,00C37F64), ref: 00BFB93C
CloseHandle.KERNEL32 ref: 00BFB94E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 7b52e7adfe8d449c7e8551583f5a35245a19ae6437cf7adcfdb2712a53240e55
Instruction ID: 31f09d71e010c0d05926ec63aeae6bd63ae589f8a4f2d9847df894c40c63238a
Opcode Fuzzy Hash: 7b52e7adfe8d449c7e8551583f5a35245a19ae6437cf7adcfdb2712a53240e55
Instruction Fuzzy Hash: 93F05EF25543057BE62027A1AC45FBB3ADCFB0C754F004170FB08D6192D7714910C7A8

Function 00BD6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00BD6E88

Part of subcall function 00BD794E: _memset.LIBCMT ref: 00BD7983

_memmove.LIBCMT ref: 00BD6EAB
_memset.LIBCMT ref: 00BD6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00BD6EC8

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8bf89cf949866b0814749401d25b6d3a4224f93dce6b3d08826ac862be22b007
Instruction ID: aa5a3727cd923f46bd4772cabcb6f389d084d0cd2f61a85c1c2b5d170484bcf5
Opcode Fuzzy Hash: 8bf89cf949866b0814749401d25b6d3a4224f93dce6b3d08826ac862be22b007
Instruction Fuzzy Hash: 67F0543A100200BBCF016F55DC85A99FB69EF45320B0480A5FE085F21ADB35A911DBB4

Function 00BFC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B712F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B7134D
Part of subcall function 00B712F3: SelectObject.GDI32(?,00000000), ref: 00B7135C
Part of subcall function 00B712F3: BeginPath.GDI32(?), ref: 00B71373
Part of subcall function 00B712F3: SelectObject.GDI32(?,00000000), ref: 00B7139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BFC030
LineTo.GDI32(00000000,?,?), ref: 00BFC03D
EndPath.GDI32(00000000), ref: 00BFC04D
StrokePath.GDI32(00000000), ref: 00BFC05B

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2d66b27d321f7eb9e05b2e017b9d0bfc2205dea4daef5225145b49e1ca7628aa
Instruction ID: afaeb5318441517abf3ac6ec539f55e7e7af85d2e2049e4964cb63105c347033
Opcode Fuzzy Hash: 2d66b27d321f7eb9e05b2e017b9d0bfc2205dea4daef5225145b49e1ca7628aa
Instruction Fuzzy Hash: 77F05E3100525EBBDB126F64AC0AFEE3F99AF0A311F048050FB11631E28F755655DBA9

Function 00BCA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00BCA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00BCA3AC
GetCurrentThreadId.KERNEL32 ref: 00BCA3B3
AttachThreadInput.USER32(00000000), ref: 00BCA3BA

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f65d221468558044968a90c8ef1c61abe7dc4ef46802345fc05e48c493965348
Instruction ID: 4c62a9b2c4642b56e8ead556c231bd9be9e4470cf3e07230261b86f5f8eb1a2e
Opcode Fuzzy Hash: f65d221468558044968a90c8ef1c61abe7dc4ef46802345fc05e48c493965348
Instruction Fuzzy Hash: 5CE03931241268BADB201BA2DC0CFF73F5CEF167A1F008028F908DA0A0CE718940CBA0

Function 00B72218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B72231
SetTextColor.GDI32(?,000000FF), ref: 00B7223B
SetBkMode.GDI32(?,00000001), ref: 00B72250
GetStockObject.GDI32(00000005), ref: 00B72258
GetWindowDC.USER32(?,00000000), ref: 00BAC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BAC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00BAC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00BAC112
GetPixel.GDI32(00000000,?,?), ref: 00BAC132
ReleaseDC.USER32(?,00000000), ref: 00BAC13D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f54625be5528c6096f6bef377b093112c496a9e7de8311e0395f3fc49694907a
Instruction ID: 1c111361492aa2a303dff7d08b598b3c8cbedb499999774a8aa78b4706b3916b
Opcode Fuzzy Hash: f54625be5528c6096f6bef377b093112c496a9e7de8311e0395f3fc49694907a
Instruction Fuzzy Hash: D1E03932204245EADB215F64EC097F83B54EB16336F0083A6FA696A0E18B728A90DB11

Function 00BC8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00BC8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00BC882E), ref: 00BC8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BC882E), ref: 00BC8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00BC882E), ref: 00BC8C7E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 6841495c7e33ddea4dc94bd794a95c1539977080bf3c39057e51f22e8f7093d2
Instruction ID: 5ab4054aee8ec16379dfb17c4fe7cb1175a645c8de1f496f610171954e06a0da
Opcode Fuzzy Hash: 6841495c7e33ddea4dc94bd794a95c1539977080bf3c39057e51f22e8f7093d2
Instruction Fuzzy Hash: E5E04636642312ABD7205FB0AD0CFB73BA8EF50792F084878B286CB080EE348441CB65

Function 00BB2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BB2187
GetDC.USER32(00000000), ref: 00BB2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BB21B1
ReleaseDC.USER32(?), ref: 00BB21D2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b59d866f5f21dc9e4adf03a6ad17dbc930592fd8332a6113240bcec7bb853801
Instruction ID: 4b184dcdb600bf35d6b7eb3e9a2ebb0c08ca71c1d692eb4263ed16f278fc27bc
Opcode Fuzzy Hash: b59d866f5f21dc9e4adf03a6ad17dbc930592fd8332a6113240bcec7bb853801
Instruction Fuzzy Hash: 68E0CAB5800206AFDB019FA0C888ABD7BF1AF48350F208429E96AE7220CF788542DF40

Function 00BB219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BB219B
GetDC.USER32(00000000), ref: 00BB21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BB21B1
ReleaseDC.USER32(?), ref: 00BB21D2

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: af8b964cad7c29e723d04413a73121da277b14c1e14ea7f2948362e5f29c9580
Instruction ID: 5e96f2b3d1ccf1c2e18c5eb064d45ee4fb0b6a22c907266bb87d9e16f4701bd2
Opcode Fuzzy Hash: af8b964cad7c29e723d04413a73121da277b14c1e14ea7f2948362e5f29c9580
Instruction Fuzzy Hash: FEE05AB5800206AFCB119FA098886AD7AE5AF58351B118429E96AE7260DF789541DF40

Function 00BCB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00BCB981

Strings

Container, xrefs: 00BCB8FE
AutoIt3GUI, xrefs: 00BCB8F9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 6d97c4166c4c6711a9a677994d31c8059f09c22a8ac3d010facf8979137d3993
Instruction ID: a46ec14e59f2b9c365cb583a45721d01b8fd1df19635206550457537a9b19f8c
Opcode Fuzzy Hash: 6d97c4166c4c6711a9a677994d31c8059f09c22a8ac3d010facf8979137d3993
Instruction Fuzzy Hash: C0913A706006019FDB64DF64C885F6AB7E9FF48710F2485AEF94ACB691DB70E841CB50

Function 00BDB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8FEC6: _wcscpy.LIBCMT ref: 00B8FEE9

Part of subcall function 00B79997: __itow.LIBCMT ref: 00B799C2
Part of subcall function 00B79997: __swprintf.LIBCMT ref: 00B79A0C

__wcsnicmp.LIBCMT ref: 00BDB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00BDB361

Strings

LPT, xrefs: 00BDB292

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: f24ea44f8a1e86fc69c0c4c7c6f06400651550e6b6ebeb6c7ef662108f8a65ca
Instruction ID: ed5ee6ecb0e27aaa793db47b210989093701fbd26dd49744229af07aa0399b10
Opcode Fuzzy Hash: f24ea44f8a1e86fc69c0c4c7c6f06400651550e6b6ebeb6c7ef662108f8a65ca
Instruction Fuzzy Hash: EC616075A00215EFCB14DF94C881EAEB7F4EF48310F1581AAF55AAB391EB70AE40DB54

Function 00B82AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B82AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B82AE1

Strings

@, xrefs: 00B82AD5

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f4e101edc9063bbd17d2e3a07c7c981cecba429207bea141f48e937afbed8f1f
Instruction ID: d0082614fa3496d689fc28612d594a8dd84805bd9b2ec94b043df5e02a054679
Opcode Fuzzy Hash: f4e101edc9063bbd17d2e3a07c7c981cecba429207bea141f48e937afbed8f1f
Instruction Fuzzy Hash: 215159724187449BD320AF10DC86BAFBBF8FF85314F4288ADF1E9511A5DB309529CB66

Function 00BD99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B7506B: __fread_nolock.LIBCMT ref: 00B75089

_wcscmp.LIBCMT ref: 00BD9AAE
_wcscmp.LIBCMT ref: 00BD9AC1

Strings

FILE, xrefs: 00BD99FA

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fe3ee1eee253f4aa7ba8c7ccab53b7c256f003eab3683df85d0fd684919b420d
Instruction ID: f20fa86a524dc356962abb10ac6921840372f29fa1398dae7537f4a3bd7bb639
Opcode Fuzzy Hash: fe3ee1eee253f4aa7ba8c7ccab53b7c256f003eab3683df85d0fd684919b420d
Instruction Fuzzy Hash: 1C41F871A00619BADF209AA0DC85FEFBBFDDF45710F0140BAF905B7281DA75AE0487A1

Function 00BE2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BE2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BE28C8

Strings

|, xrefs: 00BE2899

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 54c4f1fb7bbe6d02e180063cce460d87ad02a4ff3485090cb38c17c63758fd2d
Instruction ID: baa6b069c6e8678ddebed9c05b5fbf82efadf9f989ce684670da6a2d7b3eb156
Opcode Fuzzy Hash: 54c4f1fb7bbe6d02e180063cce460d87ad02a4ff3485090cb38c17c63758fd2d
Instruction Fuzzy Hash: 0A311971804119AFCF01EFA1CC85EEEBFB9FF08300F1041A9F819A6166DB315A56DBA0

Function 00BF6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00BF6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BF6DC2

Strings

static, xrefs: 00BF6D22

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3bf5f040e96b87d88c3093dc26060ab8071181fc38bef1e261ebcd513906be2c
Instruction ID: f5f8f8a6706f8e839dec41317394af35bb018b62b9cffe953e07f86ff673db12
Opcode Fuzzy Hash: 3bf5f040e96b87d88c3093dc26060ab8071181fc38bef1e261ebcd513906be2c
Instruction Fuzzy Hash: 42317075210608AADB109F78CC80BFB77F9FF48760F108669F9A997190DA31AC55DB60

Function 00BD2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BD2E3B

Strings

0, xrefs: 00BD2DF9

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 60f2e086212e355fa5eae373383df50835e6a6d5fa3bdd8d4622df9369b0204c
Instruction ID: 0b4c2dfd0d974e611cb43db576afda443183ace2f15523c37081c6b868ebe669
Opcode Fuzzy Hash: 60f2e086212e355fa5eae373383df50835e6a6d5fa3bdd8d4622df9369b0204c
Instruction Fuzzy Hash: BC31F531A00345ABEB248F48C885BAEFBF9EF15340F1444ABE985972A1F7709941CB50

Function 00BF6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BF69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BF69DB

Strings

Combobox, xrefs: 00BF699D

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 23ab32e48bbfe84a6af1203f8770fcc9a6c1413d7c023ca074266ffcc7ccf5bf
Instruction ID: ad6ea18662aecb9a8fa7360267c76d0960e7c16418709cab8e2ae80d3bfb76bc
Opcode Fuzzy Hash: 23ab32e48bbfe84a6af1203f8770fcc9a6c1413d7c023ca074266ffcc7ccf5bf
Instruction Fuzzy Hash: 0A11B67160020D7FEF159F64CC80EBB37AAEB893A4F118164FE5897290D6B19C5587A0

Function 00BF6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B71D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B71D73
Part of subcall function 00B71D35: GetStockObject.GDI32(00000011), ref: 00B71D87
Part of subcall function 00B71D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B71D91

GetWindowRect.USER32(00000000,?), ref: 00BF6EE0
GetSysColor.USER32(00000012), ref: 00BF6EFA

Strings

static, xrefs: 00BF6EBD

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6925101338c3d4b626d6890c5505530401a3b9ed0f50c926cfa07c2671955c8c
Instruction ID: 7c11b37c1eac481f16c681e104591459ec30a338eab17e120c8f0acf74692e2b
Opcode Fuzzy Hash: 6925101338c3d4b626d6890c5505530401a3b9ed0f50c926cfa07c2671955c8c
Instruction Fuzzy Hash: DF21177261020AAFDB04DFA8DD45AFA7BF8EB08314F004669FE55D3250D634E865DB60

Function 00BF6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00BF6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BF6C20

Strings

edit, xrefs: 00BF6BF5

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 074b53e0eef4e73f636cd92fe49827ad3ed120a3933b834c3877e4767df2e970
Instruction ID: 2e7209924613ba88e62ac57611554047b2614ced64ec6ae935d129b59fb5b123
Opcode Fuzzy Hash: 074b53e0eef4e73f636cd92fe49827ad3ed120a3933b834c3877e4767df2e970
Instruction Fuzzy Hash: 67116D7150010CABEB104F64DC42ABA3BA9EF15368F504764FEA5D71E0C675DC999B60

Function 00BD2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00BD2F30

Strings

0, xrefs: 00BD2F07

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 98f25072aebbf129a22c38c73a2c9a39245a7af6bdb8e85625875e643acbcb49
Instruction ID: 3ab1f81ab2f136acb23e3eb501e975ca18afaf06723f7e69fdd39cdcd707bd7b
Opcode Fuzzy Hash: 98f25072aebbf129a22c38c73a2c9a39245a7af6bdb8e85625875e643acbcb49
Instruction Fuzzy Hash: A211D031901155ABCF21DB98DC84BADF3F9EB25310F0440E2E844A73A0E7B0AD05C791

Function 00BE24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BE2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BE2549

Strings

<local>, xrefs: 00BE2511

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 52c7e16ec20a9d84f48176cd2828bc1c63a0326f1315bf10c8cd73dbb5981883
Instruction ID: 2359f0bdbe6d888f1e258d1a5814ea2669c9a64d7ce127c1958a637886eb8433
Opcode Fuzzy Hash: 52c7e16ec20a9d84f48176cd2828bc1c63a0326f1315bf10c8cd73dbb5981883
Instruction Fuzzy Hash: AB11E0701002A5BADB248F528C99EBBFFECFF26351F10816AFA0547140D3706940DAE0

Function 00BE80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BE830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00BE80C8,?,00000000,?,?), ref: 00BE8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BE80CB
htons.WSOCK32(00000000,?,00000000), ref: 00BE8108

Strings

255.255.255.255, xrefs: 00BE80E3

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: bf282e16bb0712d05ac63cb06d0a107b2bbe7afb6b347ef4e0832748bd45249d
Instruction ID: 93585f86e103e6bfe462622f72c976ccab83a813495cf18812de3c5eb9925b2e
Opcode Fuzzy Hash: bf282e16bb0712d05ac63cb06d0a107b2bbe7afb6b347ef4e0832748bd45249d
Instruction Fuzzy Hash: A9110874600645ABDB20AF65CC86FBDB3B4FF04310F1085AAF915A7292DF71A801C756

Function 00BC92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BCB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BC9355

Strings

ComboBox, xrefs: 00BC92F4
ListBox, xrefs: 00BC931F

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b2e454cb5d84d98a2cfc852bc8a0bc1f34e4072d1e994702f5506d0db335fd3d
Instruction ID: 478890cc8bf05ec2af4b98158230fc34244403f54a30b7d78a7c5aa8ff0d074e
Opcode Fuzzy Hash: b2e454cb5d84d98a2cfc852bc8a0bc1f34e4072d1e994702f5506d0db335fd3d
Instruction Fuzzy Hash: 0001F171A41214ABCB04EBA0CC96DFE77E9FF46320B200AADF872572D1DF315808C650

Function 00BC91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BCB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00BC924D

Strings

ComboBox, xrefs: 00BC91EC
ListBox, xrefs: 00BC9217

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 78204892dd62fdb40a9b7bb1e676bcada31976b882336b0e75c17e477db82a0c
Instruction ID: b1fa7883919dac0916daa936bd377caae7f92f885f8e3313c895ad104119e46c
Opcode Fuzzy Hash: 78204892dd62fdb40a9b7bb1e676bcada31976b882336b0e75c17e477db82a0c
Instruction Fuzzy Hash: 6C018471A411047BDB14EBA0C996EFF73E8DF05300F2401A9B9566B681EE255E089661

Function 00BC9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B77F41: _memmove.LIBCMT ref: 00B77F82

Part of subcall function 00BCB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00BCB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00BC92D0

Strings

ComboBox, xrefs: 00BC9271
ListBox, xrefs: 00BC929C

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4f5b470e943904d008a7e4650439b45f3a6a2474d23d190f1648f37188e5ee9a
Instruction ID: bead0e03fdc7c14210a169cd0827aa0e4d3aeb5c22439fa0851a8b7f8256a2df
Opcode Fuzzy Hash: 4f5b470e943904d008a7e4650439b45f3a6a2474d23d190f1648f37188e5ee9a
Instruction Fuzzy Hash: 8301A271A8110877DB14EBA0C986EFF77ECDF11300F2441A9B86667282DE215E0CD272

Function 00BD51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00BD51E8
_wcscmp.LIBCMT ref: 00BD51FA

Strings

#32770, xrefs: 00BD51F4

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 60110c0be015b46a35b652bfdaa01b14f884b5411908bb9ce3d21fb62ed8e2b0
Instruction ID: 01e1649ce5b39b058cc46174fa6f8906c31b9fdb2c9c009c24f6026af91f873e
Opcode Fuzzy Hash: 60110c0be015b46a35b652bfdaa01b14f884b5411908bb9ce3d21fb62ed8e2b0
Instruction Fuzzy Hash: 1AE09272A042296BE720AA99AC49FA7F7ECEB45B61F0001ABF914D3150E5609A458BE1

Function 00BC81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BC81CA

Part of subcall function 00B93598: _doexit.LIBCMT ref: 00B935A2

Strings

Error allocating memory., xrefs: 00BC81C3
AutoIt, xrefs: 00BC81BE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 7d16741a22e414ee7f04cf48f01a4c09f349ae62ecb8f1def05d99fb01e0f4c3
Instruction ID: ee268c5e77f21baf113d20fd1d2525574423b5eb9ed521a4e8d9701d8275c559
Opcode Fuzzy Hash: 7d16741a22e414ee7f04cf48f01a4c09f349ae62ecb8f1def05d99fb01e0f4c3
Instruction Fuzzy Hash: F0D012322C532936D61532A86C06FD565C88B19B52F544475BB08965D38ED29981829D

Function 00BAB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BAB564: _memset.LIBCMT ref: 00BAB571

Part of subcall function 00B90B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BAB540,?,?,?,00B7100A), ref: 00B90B89

IsDebuggerPresent.KERNEL32(?,?,?,00B7100A), ref: 00BAB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B7100A), ref: 00BAB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BAB54E

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 5d69a2d3f07c8f33ca69687ecd0c1f65a7797f805eff2f441b64d18db3cd5bc2
Instruction ID: 18ae0fea70bd4d46d1c06b61b18e381d5622e0b8fcd52dc035d532270de14bc2
Opcode Fuzzy Hash: 5d69a2d3f07c8f33ca69687ecd0c1f65a7797f805eff2f441b64d18db3cd5bc2
Instruction Fuzzy Hash: 33E06DB4A143118FD720EF28E414B567BE0AF15715F0489ADE456C3252EBB4D444CB61

Function 00BF5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BF5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BF5C08

Part of subcall function 00BD54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BD555E

Strings

Shell_TrayWnd, xrefs: 00BF5BEE

Memory Dump Source

Source File: 00000000.00000002.1358203580.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1358147019.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000BFF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1359231910.0000000000C25000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360269939.0000000000C2F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1360289604.0000000000C38000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_documentos.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ccd208557159b51a9bbeb492e0a1ad0f1de6dad25fcb651ec578134f7b22e839
Instruction ID: be49d06d5765e4297142c136c4fddf90577876a7609b0e56925433831910a898
Opcode Fuzzy Hash: ccd208557159b51a9bbeb492e0a1ad0f1de6dad25fcb651ec578134f7b22e839
Instruction Fuzzy Hash: 30D0C931388312B7E774AB70AC0BFB76A54AF10B61F000835B655AB2D0DDE49840C654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report documentos.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut4FBD.tmp

C:\Users\user\AppData\Local\Temp\aut502C.tmp

C:\Users\user\AppData\Local\Temp\outbluffed

C:\Users\user\AppData\Local\Temp\totten

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
documentos.exe

Function 00B73B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00B74AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00B74FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00BD93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00B73015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69
windowregistryCOMMON

Function 00B73041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00B771EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00B73A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00B73633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00B73778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 02572650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00B739E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 02572410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Function 00B7410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00B9564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre