Edit tour

Windows Analysis Report
presupuesto urgente.exe

Overview

General Information

Sample name:	presupuesto urgente.exe
Analysis ID:	1525571
MD5:	8ae672783481c0b46780431bfce5a216
SHA1:	ace989f4c2a82f48cc3167e531ab13d2999537b2
SHA256:	5e279ef4c54dfc525f423b98054f37ee6eb51a71e8c1f76d5438393055442173
Tags:	exeuser-threatcat_ch
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

presupuesto urgente.exe (PID: 2612 cmdline: "C:\Users\user\Desktop\presupuesto urgente.exe" MD5: 8AE672783481C0B46780431BFCE5A216)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4503986910.0000000004438000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: presupuesto urgente.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: presupuesto urgente.exe

ReversingLabs: Detection: 18%

Source: presupuesto urgente.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: presupuesto urgente.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: presupuesto urgente.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_00405553 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405553

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_00403489 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403489

Source: C:\Users\user\Desktop\presupuesto urgente.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_00404D90		0_2_00404D90
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_00406ABA		0_2_00406ABA

Source: presupuesto urgente.exe

Static PE information: invalid certificate

Source: presupuesto urgente.exe, 00000000.00000000.2045126216.0000000000457000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs presupuesto urgente.exe
Source: presupuesto urgente.exe	Binary or memory string: OriginalFilenameloyaliteters radierne.exeR vs presupuesto urgente.exe

Source: presupuesto urgente.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/8@0/0

Source: C:\Users\user\Desktop\presupuesto urgente.exe

0_2_00403489

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_00404814 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404814

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_004020FE CoCreateInstance,

0_2_004020FE

Source: C:\Users\user\Desktop\presupuesto urgente.exe

File created: C:\Users\user\AppData\Local\Temp\nsq6CC2.tmp

Jump to behavior

Source: presupuesto urgente.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\presupuesto urgente.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: presupuesto urgente.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\presupuesto urgente.exe

File read: C:\Users\user\Desktop\presupuesto urgente.exe

Jump to behavior

Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\presupuesto urgente.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Gaulin.ini

Jump to behavior

Source: presupuesto urgente.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.4503986910.0000000004438000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\presupuesto urgente.exe

File created: C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\presupuesto urgente.exe

RDTSC instruction interceptor: First address: 4421061 second address: 4421061 instructions: 0x00000000 rdtsc 0x00000002 test al, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4AF8BA4C18h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_004066F3 FindFirstFileW,FindClose,	0_2_004066F3
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_00405ABE CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405ABE
Source: C:\Users\user\Desktop\presupuesto urgente.exe	Code function: 0_2_00402862 FindFirstFileW,	0_2_00402862

Source: C:\Users\user\Desktop\presupuesto urgente.exe	API call chain: ExitProcess graph end node			graph_0-4671
Source: C:\Users\user\Desktop\presupuesto urgente.exe	API call chain: ExitProcess graph end node			graph_0-4513

Source: C:\Users\user\Desktop\presupuesto urgente.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\presupuesto urgente.exe

0_2_00403489

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
presupuesto urgente.exe	18%	ReversingLabs	Win32.Trojan.Generic
presupuesto urgente.exe	100%	Avira	HEUR/AGEN.1331786

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	presupuesto urgente.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525571
Start date and time:	2024-10-04 11:47:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	presupuesto urgente.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/8@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll	PEDIDO-144797.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PEDIDO-144797.exe	Get hash	malicious	GuLoader	Browse
	rpedido-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse
	rpedido-002297.exe	Get hash	malicious	GuLoader	Browse
	FACTURA-002297.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FACTURA-002297.exe	Get hash	malicious	GuLoader	Browse
	LisectAVT_2403002A_41.exe	Get hash	malicious	GuLoader	Browse
	LisectAVT_2403002A_41.exe	Get hash	malicious	GuLoader	Browse
	Inventory_list.img.exe	Get hash	malicious	GuLoader	Browse
	Inventory_list.img.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: PEDIDO-144797.exe, Detection: malicious, Browse Filename: PEDIDO-144797.exe, Detection: malicious, Browse Filename: rpedido-002297.exe, Detection: malicious, Browse Filename: rpedido-002297.exe, Detection: malicious, Browse Filename: FACTURA-002297.exe, Detection: malicious, Browse Filename: FACTURA-002297.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_41.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_41.exe, Detection: malicious, Browse Filename: Inventory_list.img.exe, Detection: malicious, Browse Filename: Inventory_list.img.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq6CC3.tmp

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	data
Category:	dropped
Size (bytes):	1373370
Entropy (8bit):	3.900890255684548
Encrypted:	false
SSDEEP:	12288:Xmz13uukjak7s0jS8vhL91GbgdQZIKfMiaDacDU0A0K:UNuzD+gDUrR
MD5:	DA817DD2FF7DF00798124C9316B89865
SHA1:	924BED611E5CA8AE2A767779353A3C50022C4B84
SHA-256:	C1C4F27D850CCA276D4665B5F5B2254837831EE462009A03B39781E28DDF8CE9
SHA-512:	ABDDBCDF8FFA41AC84DF645C3B355A3A59C0AA55FFA4C758015D29B73CA7D9411ABFB9FF98422ABE39D4A808287FE236D017330D15B5DAA27CFA1E3B11F83D40
Malicious:	false
Reputation:	low
Preview:	.8......,........................)......t7.......8..........................................................................................................................................................................................................................................G...J...........%...j...............................................................................................................................U...............'...'...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\Envy.Vir

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	452714
Entropy (8bit):	2.6437725125591145
Encrypted:	false
SSDEEP:	3072:Jxvhq0/c8zEEGKyHdqdqTZIhz+fMikFN905P4:TvhL91GbgdQZIz+fMiaN9ag
MD5:	31FA6D00190DA55D190F69027CD409CC
SHA1:	6E40E777863649597448A8A8C4A88B4DEB77D2CE
SHA-256:	BF04A6E6A09EAD8B83EF15BF34E3D151C5F683D869D02F6DFFCFC632DD130BE7
SHA-512:	5650B68EC2FE4A0C8F068A9EA27CD9A7BAADC2151BB819C7FB0087807D39F860D4B0AC5402C6FFFBA9AE43C7E07D42E9643A3FD17AB0DCFEE715CCF499CB5CB5
Malicious:	false
Reputation:	low
Preview:	00000000ADAD00000000000000280000D5D5D50081001C0000009D003C3C3C3C3C3C00002300F1F100000043434300003200007676009A9A9A000000D50016161600A500000080808080000000003F0000000000B5B5B5000000F10000000000C700008888880004040000D20000151500CD000000969600E3E3E3000000F6F60000001F1F00E100730000FF00006800A9A9A900F8F8000000AF000084006E0000750076000A0A0A0000A800151500A700969600B3B3B30000000B00EEEE00008D8D0000303000D9D9004545450071000F0F0072720000D3001212005454007C000099000000000000DD000071710000EEEE0000002D2D00AC00D2005800000D00000000000020001313131313130052000026000000000000CCCC0025250000000000000000FDFD002F0000373700007D7D001F0062005A5A000000D600AD0000BD00009100BEBEBEBEBEBE00CECE00006A0000007D7D00000000FFFF0000000046464600000000ED0000F4F400003B009200C3C3C3004E4E4E4E00B4B4B4000000D10000000000828282009E0086000089898900005E000000CA006969000000770000640000B2B2B200005200F2008F0082005D00007B7B7B7B005B0047000000FC0000001515006969000000D9000000E5E5E5E5E5000F005757001A002A000000000000C5C500000C0C0000970000004A00

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\Gemyser.Red

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	data
Category:	dropped
Size (bytes):	219226
Entropy (8bit):	7.436492024340276
Encrypted:	false
SSDEEP:	3072:132zftwOsH2Pnuw9B01E8qxXPDgs2MdpBw7opajuN5Vs9oY7sTtZXMGa3QGkCCLH:1mz1AWPuCXkslB+yajwk7sxKGsjkhkS
MD5:	03016A728D29C285C8CBA4EE426ED89D
SHA1:	776E51BCDEB03EB45E67563C52C8FEC881CC95E1
SHA-256:	20B21594F8F281C5A47ABBBF0D9FC745DDE6EC535E5E6272FF96D1D2DFB13942
SHA-512:	0E23540F06D8423BD0E3E3412988D0C820B3EC0BF7E23A4365AFA4FE8994C1D09B4F8D5B7C2BCA38142322F04B617B3239585147DB052295C0F292E34AB46D6D
Malicious:	false
Reputation:	low
Preview:	....uuuuuu..g...s..:::.. ....jjj.SS........OOOO.........}}}....................]]]]]]...................%%.....&&.......8...............s.....................P...tttt........p.....................................qq...I..............##.2.....[[[[..........................'........MMM......]]]......................................................................SSSS..............................................NN..}}}.R............[[......_.........;.yy.>>..........)))....GGGG..nn......qq..!!!..l.(((....\|.....................!....@@@@.....w....................J...FF....p......2.......................cc../..............K..............F...v................HHH.}}}.?.^...............VVVV.....^^^^^^^.........N.//.........v...BB..........t.....................Q..PPP............v...777.........LLLLLL...........K.......22..........).........E..........P.....................r...........[[..............E....##.........9..zzzzz.....I................88....cc.......n.,,,,................DDDD.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\bushers.txt

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	523
Entropy (8bit):	4.30492942039079
Encrypted:	false
SSDEEP:	12:nGy3qcf5opzE6vCdgLMc/Uqv7FE7KRbqYUH6uN0u8vM:GEpxoy6adY/UqvZEwbql6uNh
MD5:	B33890A43FB0F38B6DDF18C5BCEFE234
SHA1:	80ED178A92C2B5CB530AEE4673FFC9011EBF86BB
SHA-256:	3BF02F982A76A4C896FDA78C1C4B2B730D690DD86475213DC415269D4629407B
SHA-512:	169E2D067337BF05BA08D615CE61B28CA4FD93D204966B3386FB4B373D9BACD689BEE3DDC5E04A4F19586E585263F62BC40B0944A10E5867C63C9C7236A5CC48
Malicious:	false
Reputation:	low
Preview:	clisiocampa percussing acronyctous petitesses pilgrimsrejser zygosphene miasmology konkyljens..labelable kraftls veneries symbolically duncan sulemadens,logopdisk genuinenesses pseudoinspirational bekenderen.franciscanism krftcellers drylots toksikologiskes rottegiftes impecuniary slisken autokratiets hjertebaandet banegaardsbygningen choenix..adrenocorticotropic mangfoldigheders avisudvikling ekstremitetens skamsloges nrede unpersuasion trachling tvrformatets..negerbolle suppressionen lustful bagels flamenco selrets,

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\meropidae.kej

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	data
Category:	dropped
Size (bytes):	276551
Entropy (8bit):	1.2459972317120458
Encrypted:	false
SSDEEP:	768:q5eLWls2nEEvz9mAEPesDf7zRhfRKrtTgtOnumyYJBW+JAILJcqhOzwnasNP2r2J:q86nLDJnJuki2BaFsfRz
MD5:	0071DC51C79F0655F0BB77074D56B1D7
SHA1:	9617AE1434B07532BAAF39D69CF720C05B85E8F9
SHA-256:	0628FA8F44795D79D5B855E8387985E04D134E8B57FE4D57E663FBAED278DF89
SHA-512:	E2149E9F3B18DCB50E49EC51226D7A6BF3969E119B385410E80E431024B25A938C965C743D80C0C1D8A3820D0DDDA14464CAC75F73AE22F259B447264F8431BA
Malicious:	false
Reputation:	low
Preview:	........................................................#..................................................................................E........R...............................]......................W...\......O.........................................$9......4.............................;..........X........................Z........"..............................................................................;..........U.....................^.....................l.......................3...................~............u.........................................e......P..................................H..............................................................................2.........2.................>....................................................................................................................+.......z....................A..$.........................................................................................]........?..............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\plastron.ori

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	data
Category:	dropped
Size (bytes):	398154
Entropy (8bit):	1.2543435533086644
Encrypted:	false
SSDEEP:	1536:8IfJmHKeJzuGrd0myk0Ek5rFnJd62xZ9WEmaslkcO:8omHKAJR0T8axr
MD5:	7BA8E260D6477B4FD16DAE2D14EA4482
SHA1:	16873CB5BFBA899D4ED937603AA9980F119695D6
SHA-256:	C19F7B3F1A20E1529113EE69AA53DB6E124A51F03098E6FB6AF0E76037C85B8B
SHA-512:	ECAA786515C73B08A44C22FD48B205166611750EC633849823A88BBF95A675CA29FB7F22E652EFCFC055FC92F8381FC6276F4B732F91612A2385BF670131FFF2
Malicious:	false
Reputation:	low
Preview:	...................z...................................................1........................................T.......r...........................'......................O..................\|......P.................................0.....................................).......................l.............S..^......Z.........E.................................{.....................................................................................................................................................................$...........*................................................D........y....................................0..........\|........m............................G.............Q...........>...s.......C...................................................".....................................................................+.......................L...6.......................................................................`.................................k.....................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Gaulin.ini

Download File

Process:	C:\Users\user\Desktop\presupuesto urgente.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.046762824854522
Encrypted:	false
SSDEEP:	3:lgov8fOMy:XHB
MD5:	CFDA8E6AADE7958F94A959BDB29CB209
SHA1:	59C459E105A7AF33D13A365F735E3CB7B8E5DDB0
SHA-256:	B4543E8AB4997934D2EDC7DE8A76A24B7C2CCB641212AE3B9B17FE05B71D3E87
SHA-512:	EDFDCA00667ED3A5558F7E614373F0B8393763A979154666972C659CB44E75CCD51170E4E2189043046EB4DDB8A68642BBDB6F98A0E494E76E86FAAF14F993B2
Malicious:	false
Preview:	[xanthippe]..sikkerhedsgraden=preve..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.244448418739602
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	presupuesto urgente.exe
File size:	582'088 bytes
MD5:	8ae672783481c0b46780431bfce5a216
SHA1:	ace989f4c2a82f48cc3167e531ab13d2999537b2
SHA256:	5e279ef4c54dfc525f423b98054f37ee6eb51a71e8c1f76d5438393055442173
SHA512:	be1f8b04c0ff14dfb85089a1311f6fcffaa26db076d6889f756a077503430d7d7ff2cdfc944ed7ef1a47a7f88ad374834c8b945fb96ab1a82f09573c98a54d83
SSDEEP:	6144:wIw3/aiZzcfWAnp3NRmqRAV596VJk4PGJ5zkk2vZBKmXSSwrw:Ma/1MVzim5zF2hwymw
TLSH:	F0C4DF9B6ED2C9EED4530A3099E5B5B0B1F1ADF09B03990767B33AFD2C31E618E05215
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....uY.................d...*.....

File Icon


Icon Hash:	5ce633391c1c0601

Static PE Info

General

Entrypoint:	0x403489
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952E [Mon Jul 24 06:35:26 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Adusk Mellemhandler ", E=meteoritics@Vacuolate.Je, L=Sanford, S=Michigan, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	05/09/2024 11:36:49 05/09/2027 11:36:49
Subject Chain	CN="Adusk Mellemhandler ", E=meteoritics@Vacuolate.Je, L=Sanford, S=Michigan, C=US
Version:	3
Thumbprint MD5:	B289B9B21F52A17FDC61A0D70D86F1B8
Thumbprint SHA-1:	DBE4A4D453126B6BF0C2598625BB04CE9CD1C5D5
Thumbprint SHA-256:	344BFA8915E4912A82E48C85E479AF071690941A2C0E3DAAF3804C3454FDEBBC
Serial:	247A1D845B68D30CAE805BFEE406FB9766A77266

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F4AF8FF5C93h
push ebx
call 00007F4AF8FF8F41h
cmp eax, ebx
je 00007F4AF8FF5C89h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F4AF8FF8EBBh
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F4AF8FF5C6Ch
push 0000000Ah
call 00007F4AF8FF8F14h
push 00000008h
call 00007F4AF8FF8F0Dh
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F4AF8FF8F01h
cmp eax, ebx
je 00007F4AF8FF5C91h
push 0000001Eh
call eax
test eax, eax
je 00007F4AF8FF5C89h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x220b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8cea8	0x1320
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63d1	0x6400	139645791b76bd6f7b8c4472edbbdfe5	False	0.66515625	data	6.479451209065	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	007eff248f0493620a3fd3f7cadc755b	False	0.45	data	5.143831732151552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	ec5bcec782f43a3fb7e8dfbe0d0db4db	False	0.501953125	data	4.000739070159718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x2c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x57000	0x220b8	0x22200	30cc4d5ad2d805f600d8d9358a38829a	False	0.1827066163003663	data	2.9689436080399076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x572c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.14975452502070272
RT_ICON	0x67af0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.18344019339920117
RT_ICON	0x70f98	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.21953235710911667
RT_ICON	0x751c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.2731327800829875
RT_ICON	0x77768	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.3428705440900563
RT_DIALOG	0x78810	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x78930	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x78a50	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x78b18	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x78b78	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x78bc8	0x1b0	data	English	United States	0.5601851851851852
RT_MANIFEST	0x78d78	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 11:48:42.398380995 CEST	53	54594	162.159.36.2	192.168.2.5
Oct 4, 2024 11:48:42.897088051 CEST	53	60955	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	05:47:56
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\presupuesto urgente.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\presupuesto urgente.exe"
Imagebase:	0x400000
File size:	582'088 bytes
MD5 hash:	8AE672783481C0B46780431BFCE5A216
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4503986910.0000000004438000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	13.2%
Signature Coverage:	19.2%
Total number of Nodes:	1590
Total number of Limit Nodes:	36

Executed Functions

Function 00403489 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034AC
GetVersion.KERNEL32 ref: 004034B2
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E5
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403522
OleInitialize.OLE32(00000000), ref: 00403529
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403545
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 0040355A
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\presupuesto urgente.exe",00000000,?,00000006,00000008,0000000A), ref: 0040356D
CharNextW.USER32(00000000,"C:\Users\user\Desktop\presupuesto urgente.exe",00000020,?,00000006,00000008,0000000A), ref: 00403594

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036CE
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036DF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036EB
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004036FF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403707
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403718
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403720
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403734

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004037FF
ExitProcess.KERNEL32 ref: 00403820
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\presupuesto urgente.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403833
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\presupuesto urgente.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403842
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\presupuesto urgente.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\presupuesto urgente.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403859
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403875
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038CF
CopyFileW.KERNEL32(C:\Users\user\Desktop\presupuesto urgente.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038E3
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 00403910
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040393F
OpenProcessToken.ADVAPI32(00000000), ref: 00403946
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395B
AdjustTokenPrivileges.ADVAPI32 ref: 0040397E
ExitWindowsEx.USER32(00000002,80040002), ref: 004039A3
ExitProcess.KERNEL32 ref: 004039C6

Strings

.tmp, xrefs: 00403847
TMP, xrefs: 0040371B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034A0
TEMP, xrefs: 00403713
Low, xrefs: 00403701
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 004036B1, 004037D1, 0040387B, 00403885
Error launching installer, xrefs: 004037B6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 004037DC
C:\Users\user\Desktop\presupuesto urgente.exe, xrefs: 004038DE
UXTHEME, xrefs: 004034D9, 004034DE, 004034E4
C:\Users\user\Desktop, xrefs: 00403852, 00403857, 00403884
NSIS Error, xrefs: 0040354B
"C:\Users\user\Desktop\presupuesto urgente.exe", xrefs: 00403560, 00403566, 0040375C
1033, xrefs: 0040372F
SeShutdownPrivilege, xrefs: 00403955
\Temp, xrefs: 004036E5
~nsu, xrefs: 0040382B
C:\Users\user\AppData\Local\Temp\, xrefs: 004036C3, 004036C8, 004036DE, 004036EA, 004036F9, 00403706, 00403712, 0040371A, 00403830, 00403841, 0040384C, 00403858, 00403865, 00403874, 00403925

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\presupuesto urgente.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet$C:\Users\user\Desktop$C:\Users\user\Desktop\presupuesto urgente.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2944726535
Opcode ID: 0c5ed391fea6fa0d6bec001cb8bac7c1b86e8aed39806b07c52da4fce73069a4
Instruction ID: aa49a9b5ba718b736b7abce3970f6df4d0a927ceef10040f9259c4205047f8e0
Opcode Fuzzy Hash: 0c5ed391fea6fa0d6bec001cb8bac7c1b86e8aed39806b07c52da4fce73069a4
Instruction Fuzzy Hash: 3DD103B1600311ABD3206F759D45B3B3AACEB4070AF10443FF981B62D2DBBD8D558A6E

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 00405ABE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405AE7
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B2F
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B52
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B58
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405B68
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C08
FindClose.KERNEL32(00000000), ref: 00405C17

Strings

\*.*, xrefs: 00405B29
0WB, xrefs: 00405B17
"C:\Users\user\Desktop\presupuesto urgente.exe", xrefs: 00405ABE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405ACC

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\presupuesto urgente.exe"$0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-741248912
Opcode ID: 6a659da8d5721ce07b89c17eb76fa4599111a2d920b673130fc03b7c63125bad
Instruction ID: 07f17dd178ac6d8b62b8dc139a3c49ba2dacd8a3a96bf447fe2624e5f5ce8b98
Opcode Fuzzy Hash: 6a659da8d5721ce07b89c17eb76fa4599111a2d920b673130fc03b7c63125bad
Instruction Fuzzy Hash: 1741D030904A18A6DB21AB618D89FBF7678EF42719F50813BF801B11D1D77C5982DEAE

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction ID: 906bff5cfe4bf8fc25f5c52b70697fc94252e662920e9b50785524ea690ef068
Opcode Fuzzy Hash: 3c070ca994c387dc491d90c6da3338e95d076c4c889754936ff9c01511acbaf1
Instruction Fuzzy Hash: EBF17870D04229CBDF18CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45

Function 004066F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405DD2,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 004066FE
FindClose.KERNELBASE(00000000), ref: 0040670A

Strings

xgB, xrefs: 004066F4

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 551d457f2096baf6d1028c2489454c6ec1272a262abf728b5c7319079dd029a3
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: DBD012315090209BC201173CBE4C85B7A989F953397128B37B466F71E0C7348C638AE8

Function 00403ABE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040678A: GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
Part of subcall function 0040678A: GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75923420,"C:\Users\user\Desktop\presupuesto urgente.exe",00000000), ref: 00403B3F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BBF
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BD2
GetFileAttributesW.KERNEL32(Call), ref: 00403BDD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet), ref: 00403C26

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

RegisterClassW.USER32(004291E0), ref: 00403C63
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CB0
ShowWindow.USER32(00000005,00000000), ref: 00403CE6
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D12
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D1F
RegisterClassW.USER32(004291E0), ref: 00403D28
DialogBoxParamW.USER32(?,00000000,00403E6C,00000000), ref: 00403D47

Strings

RichEd20, xrefs: 00403CEC
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF2
Call, xrefs: 00403B86, 00403B8F, 00403B9D, 00403BEC, 00403BF2
_Nb, xrefs: 00403C42, 00403CAA
(7B, xrefs: 00403AEA
.DEFAULT\Control Panel\International, xrefs: 00403B2A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 00403B4E, 00403B56, 00403BF9, 00403BFF, 00403C0F
RichEdit20W, xrefs: 00403D0A, 00403D10
RichEd32, xrefs: 00403CFA
"C:\Users\user\Desktop\presupuesto urgente.exe", xrefs: 00403AC2
1033, xrefs: 00403ADE, 00403B3A
C:\Users\user\AppData\Local\Temp\, xrefs: 00403ACA
RichEdit, xrefs: 00403D19
.exe, xrefs: 00403BCC

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\presupuesto urgente.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-667676935
Opcode ID: ee5fd85ec343bc094daa65e3c13ef1cff60d12f5a08356af1ceed260609d9923
Instruction ID: afe91a4761cf59ebc4b7da6c1f2e4a45d87dcf75ce704844472433b73fc63153
Opcode Fuzzy Hash: ee5fd85ec343bc094daa65e3c13ef1cff60d12f5a08356af1ceed260609d9923
Instruction Fuzzy Hash: 81619370200601BED720AF669D46E2B3A7CEB84B49F40447FFD45B62E2DB7D9912862D

Function 00402F14 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F28
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\presupuesto urgente.exe,00000400), ref: 00402F44

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,C:\Users\user\Desktop\presupuesto urgente.exe,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\presupuesto urgente.exe,C:\Users\user\Desktop\presupuesto urgente.exe,80000000,00000003), ref: 00402F8D
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030D4

Strings

C:\Users\user\Desktop\presupuesto urgente.exe, xrefs: 00402F2E, 00402F3D, 00402F51, 00402F6E
C:\Users\user\Desktop, xrefs: 00402F6F, 00402F74, 00402F7A
Null, xrefs: 0040300D
"C:\Users\user\Desktop\presupuesto urgente.exe", xrefs: 00402F14
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311D
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040316B
Error launching installer, xrefs: 00402F64
soft, xrefs: 00403004
Inst, xrefs: 00402FFB
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F21, 004030EC

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\presupuesto urgente.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\presupuesto urgente.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-106735223
Opcode ID: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction ID: 409c8f22eebac3ceeba7cf51205c68f93d68dba00e9ec32c8e3ebc1c19b8881b
Opcode Fuzzy Hash: 4aa3185e2732ea1d92bd2938039fdcb50ab67e449d873de13479ee0b69e06266
Instruction Fuzzy Hash: 8D61E031A00204ABDB20EF65DD85A9A7BA8EB04355F20817FF901F72D0C77C9A418BAD

Function 004063D2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406513
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422708,?,0040544B,00422708,00000000), ref: 00406526
SHGetSpecialFolderLocation.SHELL32(0040544B,00000000,00000000,00422708,?,0040544B,00422708,00000000), ref: 00406562
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406570
CoTaskMemFree.OLE32(00000000), ref: 0040657B
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065A1
lstrlenW.KERNEL32(Call,00000000,00422708,?,0040544B,00422708,00000000), ref: 004065F9

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 004064E3
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040659B
Call, xrefs: 004063FC, 004064D7, 004064DE, 004064E2, 004064FC, 004064FD, 00406512, 00406525, 00406541, 0040656C, 004065A0, 004065A6, 004065C2, 004065D5, 004065F2, 004065F8, 00406604, 00406637

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 15e8cba43a00d1251787e7505a7f0100c69544ffb4eb695e889bacc90eff1716
Instruction ID: 781aa6555cb08bc9a39a1310e2b7c8a7a94b670d8f790df7948cd7d686d0a9f3
Opcode Fuzzy Hash: 15e8cba43a00d1251787e7505a7f0100c69544ffb4eb695e889bacc90eff1716
Instruction Fuzzy Hash: 52611771600101ABDF209F54ED40ABE37A5AF40314F56453FE947B62D4D73D8AA2CB5D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet,?,?,00000031), ref: 004017D5

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Strings

Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Local\Temp\nsj72EF.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsj72EF.tmp$C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet$Call
API String ID: 1941528284-267157193
Opcode ID: c80200c29ca938d3f9be0bc76a293d962ee4304018d07197e4f76f8e1ca0c2de
Instruction ID: 6d789f9af123ab0f865e5502c846d56d3cd3544f1fa5f1ae7e054fd30d3333f6
Opcode Fuzzy Hash: c80200c29ca938d3f9be0bc76a293d962ee4304018d07197e4f76f8e1ca0c2de
Instruction Fuzzy Hash: E741D871510115BACF117BA5CD45EAF3679EF01328B20423FF922F10E1DB3C8A519AAE

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724

Part of subcall function 00405F83: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405F99

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0

Strings

9, xrefs: 00402693

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction ID: c360ee4afea2d2749c5a2d2d3cba589ababf6fe072d155cbc4f623872b1d9462
Opcode Fuzzy Hash: 87cfad3e31df379bf1329a0d53b4cb21fa96f1686d8734dbec1fa7beea93af1a
Instruction Fuzzy Hash: 2E51F874D0021AAADF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58

Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
wsprintfW.USER32 ref: 0040676C
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406780

Strings

UXTHEME, xrefs: 00406723
\, xrefs: 00406742
%s%S.dll, xrefs: 00406766

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 212fe184e71725d5a8014c1118872f5233ada1a9ecb6260670121aae60094f83
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: BBF02170510119ABCF10BB64DD0DF9B375CAB00305F50447AA546F20D1EBBCDA78C798

Function 004058E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405926
GetLastError.KERNEL32 ref: 0040593A
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040594F
GetLastError.KERNEL32 ref: 00405959

Strings

C:\Users\user\Desktop, xrefs: 004058E3

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-1246513382
Opcode ID: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction ID: c49c088e9ba2396d105a9c54abfe353073567d613583196498a7e7de041cdc41
Opcode Fuzzy Hash: 4e538d1c76d2fdfb7cd0fd00a6572ed9e7029d57e55293966324597acc96cb40
Instruction Fuzzy Hash: C8011AB1C10619DADF009FA1C9487EFBFB4EF14354F00403AD545B6291D7789618CFA9

Function 00405ED1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405EEF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\presupuesto urgente.exe",00403487,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5), ref: 00405F0A

Strings

nsa, xrefs: 00405EDE
"C:\Users\user\Desktop\presupuesto urgente.exe", xrefs: 00405ED1
C:\Users\user\AppData\Local\Temp\, xrefs: 00405ED6, 00405EDA

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\presupuesto urgente.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3243705145
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 6418149b7de8853f47a359c443b4445f7a51012143164c36937b703eba88611a
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 51F03076A00204FBEB009F59ED05E9BB7ACEB95750F10803AED41F7250E6B49A54CB69

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8

Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,00000023,00000011,00000002), ref: 00402429
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,00000000,00000011,00000002), ref: 00402469
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,00000000,00000011,00000002), ref: 00402551

Strings

C:\Users\user\AppData\Local\Temp\nsj72EF.tmp, xrefs: 0040241A, 00402428, 0040243F, 00402453, 0040245E

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj72EF.tmp
API String ID: 2655323295-4242380532
Opcode ID: e48b1e85c28757713ab227aa479e2b9ceb42c74d784ae5642fab68139845f862
Instruction ID: 1eab41df84c6b24c6b923ea001d17cdc0cfdc7d4c8a499a75fdfc4da8179f3fa
Opcode Fuzzy Hash: e48b1e85c28757713ab227aa479e2b9ceb42c74d784ae5642fab68139845f862
Instruction Fuzzy Hash: A1118171E00108AFEB10AFA5DE49EAEBAB4EB54354F11803AF504F71D1DBB84D459B58

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
RegCloseKey.ADVAPI32(?), ref: 00402D98
RegCloseKey.ADVAPI32(?), ref: 00402DB9

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: df4bd2222173038e22a6f7143f63260fc380016edffd80d7804df4238b5218be
Instruction ID: 0f4b1bf7762f76a333ccd5711aab570045f86c75fcf3a50f9e11fcc9d843940a
Opcode Fuzzy Hash: df4bd2222173038e22a6f7143f63260fc380016edffd80d7804df4238b5218be
Instruction Fuzzy Hash: 21116A32540509FBDF129F90CE09BEE7B69EF58344F110076B905B50E0E7B5DE21AB68

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 004058E3: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405926

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet
API String ID: 1892508949-91662111
Opcode ID: 63e3afcb8f518b8f961fa91b0460bec2abaa85340c93af8d37e8798651ac2648
Instruction ID: a4cb8c34a70438e14e420fb04ab38ad532f12a03bdfc5322accc4ce246dd33dc
Opcode Fuzzy Hash: 63e3afcb8f518b8f961fa91b0460bec2abaa85340c93af8d37e8798651ac2648
Instruction Fuzzy Hash: 9011BE31504104EBCF31AFA0CD0199F36A0EF14368B28493BEA45B22F1DB3E4D51DA4E

Function 00405995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
CloseHandle.KERNEL32(?), ref: 004059CB

Strings

Error launching installer, xrefs: 004059A8

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 7702c274cdf70951028335e9b96fa9876c0cc9a795fc840707e03dbfe60e7272
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: B4E046F0A00209BFEB009BA4ED09F7BBAACFB04208F418431BD00F6190D774A8208A78

Function 00406EEF Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction ID: 1a1db7b112f5c349f32c040b215ce8adb2231ea54f988815808aa67dfaaa6b76
Opcode Fuzzy Hash: 86ce5b7836e8efc76d9880a3b815598044ae852516a7a266a4593ffa0bd4c046
Instruction Fuzzy Hash: 6AA15271E04228CBDF28CFA8C8446ADBBB1FF44305F14816ED856BB281D7786A86DF45

Function 004070F0 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction ID: 81ced8d75bd8cd674d530aa485ef516b0f39a629971cfce93107e9c84bdcedbb
Opcode Fuzzy Hash: f289ec4eae441b973c5cf469eb2209b78d92787f90c2f70d8ea77383fdb072af
Instruction Fuzzy Hash: 4E912170E04228CBDF28CFA8C8547ADBBB1FB44305F14816ED856BB281D778A986DF45

Function 00406E06 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction ID: 6e186065c07e551db02da0b657444ed8a40fac9cbefa0218a87430385e41b7b0
Opcode Fuzzy Hash: 36b8550c79165f3bd8438b4b7b77fc639822643401bcc62ffa2a7152ccecd571
Instruction Fuzzy Hash: F7814571E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB281C778A996DF45

Function 0040690B Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction ID: 1a645af2666a8cd9619cdf871bd9e2c738fb6a6c353dc56c4864b2e7a25bf22b
Opcode Fuzzy Hash: fd90919654d861d793b9259fd4ddd35531221e69384e43b7f209bc021a7cca94
Instruction Fuzzy Hash: 71816771E04228DBEF28CFA8C8447ADBBB1FB44301F14816AD956BB2C1C7786986DF45

Function 00406D59 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction ID: b0583babc1dad824d13d86abae56a1a356e3ceb45be48e511182641c275db258
Opcode Fuzzy Hash: 7afd307a57d874939e6d1f07c4a81c11abd2b71d61e18d684fba0f23c35f734a
Instruction Fuzzy Hash: 8C712471E04228CFDF28CFA8C9447ADBBB1FB44305F15806AD856BB281D7386996DF45

Function 00406E77 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction ID: 968097f9e37e498ed83c4652799cdf8e1ebeb5c7fee57b8dc09d96684c556b9e
Opcode Fuzzy Hash: c52b64c4cba7ecf1fb5e1bb59396999cb3f4df188a1ab73f316032be63138ba7
Instruction Fuzzy Hash: 27712471E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786996DF45

Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction ID: 737cb098acab11621bc79b115fd6dc57f162d32c21417d2b0fd17844244e9397
Opcode Fuzzy Hash: c741c7bc90f3712fe41ea972859e43f39dd565e03f7b0e7aa23f6ef9dcbd7f18
Instruction Fuzzy Hash: 5A714571E04228CFEF28CF98C8447ADBBB1FB44305F14806AD956BB281C778A996DF45

Function 004032C2 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032D6

Part of subcall function 00403441: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 00403309
SetFilePointer.KERNELBASE(0014F4B2,00000000,00000000,00414ED0,00004000,?,00000000,004031EC,00000004,00000000,00000000,?,?,00403166,000000FF,00000000), ref: 00403404

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction ID: 8a5bf560653b24f1bd3cd60389d49066fb51751ebaffca469d7b7cf87711dc5f
Opcode Fuzzy Hash: 63f894617870b8b9b6b4d0f35ad55c68ae2789ba15d09fbc75adc17a06edb544
Instruction Fuzzy Hash: 10316C72610211DBD711DF29EEC49A63BA9F78439A714823FE900B62E0CBB95D058B9D

Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402068
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 44d570d4ef42a6af9798bac81a48d6e43403590213f26621d83d999ce1ed40c7
Instruction ID: efb744b1bbbaa1f1e58e2693dd3ff93cd36a27706c6aad24c330354b17a2434d
Opcode Fuzzy Hash: 44d570d4ef42a6af9798bac81a48d6e43403590213f26621d83d999ce1ed40c7
Instruction Fuzzy Hash: 6F21C531900218EBCF20AFA5CE4CA9E7A70AF04354F60413BF610B61E1DBBD4991DA6E

Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 297b237e24fbbf63aa7ca08728d7b3950c3333922afcc1c5b6d3d1192ed08725
Instruction ID: 4fa2f3c06f6248971957712acf2942ced6ba336c37b2851dfbda8b2cd28c17b0
Opcode Fuzzy Hash: 297b237e24fbbf63aa7ca08728d7b3950c3333922afcc1c5b6d3d1192ed08725
Instruction Fuzzy Hash: 6D017171904104EFE7159FA5DE89ABFB6B8EF44348F10403EF105A62D0DAB84E459B69

Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(00000000), ref: 1000295B
GetLastError.KERNEL32 ref: 10002A62

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55

Function 004031BA Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403166,000000FF,00000000,00000000,0040A230,?), ref: 004031DF

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction ID: 4c6ae7a0626839fce45d877b24888c0af913333af22313e68c4d1644c71cb298
Opcode Fuzzy Hash: af526002166308cc95fa76d49654f36d838bd7a13899b6376ccfe278c881acad
Instruction Fuzzy Hash: 3B319C3020021AFFDB109F95ED84ADB3F68EB04359B1085BEF904E6190D778CE509BA9

Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,00000000,00000011,00000002), ref: 00402551

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: a3b88ef37a04c447d509aafcd647c8bb55f7a85eb83bcf9e8b78a58130226466
Instruction ID: 2d27e3624369fee7c217219a4e344138e42523264533ea489648bddc6477d6d2
Opcode Fuzzy Hash: a3b88ef37a04c447d509aafcd647c8bb55f7a85eb83bcf9e8b78a58130226466
Instruction Fuzzy Hash: 53119171900209EBEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D7B84A45DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
RegCloseKey.ADVAPI32(00000000), ref: 004023B3

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 3500e27f67e3657d3f13e648c5a4e4955d4a6b8459d35a1d73aadda57e6becb1
Instruction ID: eeebe11236d86b478005370e27fb04b66889edd8f93d7ff1d49de92df4b57ee5
Opcode Fuzzy Hash: 3500e27f67e3657d3f13e648c5a4e4955d4a6b8459d35a1d73aadda57e6becb1
Instruction Fuzzy Hash: 58F09632A04114DBE711BBA49B4EABEB2A59B44354F16053FFA02F71C1DEFC4D41866D

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 611feb8e2eb8574bcf65ce6e82aff3c902186df27cfe016bcc5f4eefe149f0e3
Instruction ID: 353457a250eeab47012712e359045a90ae935b3a48e85cb5936bf3a8ff6902a1
Opcode Fuzzy Hash: 611feb8e2eb8574bcf65ce6e82aff3c902186df27cfe016bcc5f4eefe149f0e3
Instruction Fuzzy Hash: 40E09232E08200CFD724DBA5AA4946D77B0EB84354720407FE112F11D1DA784881CF6D

Function 0040678A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034FB,0000000A), ref: 0040679C
GetProcAddress.KERNEL32(00000000,?), ref: 004067B7

Part of subcall function 0040671A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406731
Part of subcall function 0040671A: wsprintfW.USER32 ref: 0040676C
Part of subcall function 0040671A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406780

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction ID: 6fedc38abd16d04710e8a636fd16f84820eabe090bba127bd882252d3fb3e83b
Opcode Fuzzy Hash: 1fd694bbbc018e5f81eae6ff46d5e7dd0c39e86c0a2cf65890550c3579ed631a
Instruction Fuzzy Hash: 21E0863250421156D21096745E4893772AC9AC4718307843EF956F3041DB389C35A76D

Function 00405EA2 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F57,C:\Users\user\Desktop\presupuesto urgente.exe,80000000,00000003), ref: 00405EA6
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 00405960 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 00405966
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405974

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: a0b70af09676f49ae35af12b400ff138e6ea5c47fed9fef2c083bef2843b0e9d
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: 97C04C71255506DADB105F31DE08F1B7A50AB60751F11843AA18AE51B0DA348455DD2D

Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: df39207a0041021f90c9c5904dee6126a22bdfdf8dd6c18872903947b59110e0
Instruction ID: 55fb61e46e544c01c8f838511187bb9fe83791c0a23b57862087ec8cac53259a
Opcode Fuzzy Hash: df39207a0041021f90c9c5904dee6126a22bdfdf8dd6c18872903947b59110e0
Instruction Fuzzy Hash: EDE09271A00104AFDB11EBA5AF499AE7779DB80304B14407FF501F11D2CB790D52DE2E

Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D

Function 0040624B Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406274

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 479e159ceda2cb7b50184963f42fe168e38793edbf0b306f3e9e40cefa011f94
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F5E0E672010109BEEF195F50DD0AD7B371DE704314F01452EFA07E4051E6B5A9305734

Function 00405F54 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040D022,0040CED0,004033C2,0040CED0,0040D022,00414ED0,00004000,?,00000000,004031EC,00000004), ref: 00405F68

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 6078229a914e39b74a0c5ece066be2a5834b756046c3aff4b734283800ecbe33
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 2DE0EC3221065EABDF109EA59C00EEB7B6CFB053A0F004437FD25E3150D775E9219BA8

Function 00405F25 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040343E,0040A230,0040A230,00403342,00414ED0,00004000,?,00000000,004031EC), ref: 00405F39

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 9b2ea83f702eb3fffeb4c264c614e4c5cb206e28bf88f3110778221d7db1fef5
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: D7E08C3220021AEBCF109F508C00EEB3B6CEB04360F004472F925E2180E234E8219FA8

Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19

Function 0040621D Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422708,?,?,004062AB,00422708,00000000,?,?,Call,?), ref: 00406241

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 3024dc78f91217c8ac754af2bee00b96045fdb9f0f4599777b3fb0e88d8c22ab
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 8AD0123200020DBBDF116E919D05FAB371DEB04310F014426FE16A4091D775D530AB15

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 29d25e4036f002882842ff2abbc33b1b61682e4b1f0e1c41cb6674e83b655918
Instruction ID: 608ef69ca2b13f27eda1cfcd16162797e0d7c1effb02ba883df1ee114d760796
Opcode Fuzzy Hash: 29d25e4036f002882842ff2abbc33b1b61682e4b1f0e1c41cb6674e83b655918
Instruction Fuzzy Hash: 44D01272B04104DBDB21DBA4AF0859D73A59B10364B204677E101F11D1DAB989559A1D

Function 00403441 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313F,?), ref: 0040344F

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Part of subcall function 00405995: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059BE
Part of subcall function 00405995: CloseHandle.KERNEL32(?), ref: 004059CB

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47

Part of subcall function 0040683B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040684C
Part of subcall function 0040683B: GetExitCodeProcess.KERNEL32(?,?), ref: 0040686E

Part of subcall function 004062F7: wsprintfW.USER32 ref: 00406304

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b4474b7c365b70f9dc7c58f3b4c8f6c607978000052ce3e09dedc8896c81aea9
Instruction ID: 78872c6594437c8f6fb94a475087433cb7c5ddb6828dda6eb17a8edff69df0b5
Opcode Fuzzy Hash: b4474b7c365b70f9dc7c58f3b4c8f6c607978000052ce3e09dedc8896c81aea9
Instruction Fuzzy Hash: 93F0F072905021DBCB20FBA58E848DE72B09F01328B2101BFF101F21D1C77C0E418AAE

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: cb92cf7ccb1965bdce3badc7d49dd673c55c158fa478f1f9cab94f81649d65d9
Instruction ID: adf76bd272608bb1b99769d9a9b05885636640fbfa2c3f91bbd7a8ebdab0685d
Opcode Fuzzy Hash: cb92cf7ccb1965bdce3badc7d49dd673c55c158fa478f1f9cab94f81649d65d9
Instruction Fuzzy Hash: 45D0A773F141008BD720EBB8BE8945E73F8E7803193208837E102F11D1E578C8928A2D

Non-executed Functions

Function 00405553 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055B1
GetDlgItem.USER32(?,000003EE), ref: 004055C0
GetClientRect.USER32(?,?), ref: 004055FD
GetSystemMetrics.USER32(00000002), ref: 00405604
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405625
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405636
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405649
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405657
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040566A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040568C
ShowWindow.USER32(?,00000008), ref: 004056A0
GetDlgItem.USER32(?,000003EC), ref: 004056C1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004056D1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004056EA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004056F6
GetDlgItem.USER32(?,000003F8), ref: 004055CF

Part of subcall function 0040437A: SendMessageW.USER32(00000028,?,00000001,004041A5), ref: 00404388

GetDlgItem.USER32(?,000003EC), ref: 00405713
CreateThread.KERNEL32(00000000,00000000,Function_000054E7,00000000), ref: 00405721
CloseHandle.KERNEL32(00000000), ref: 00405728
ShowWindow.USER32(00000000), ref: 0040574C
ShowWindow.USER32(?,00000008), ref: 00405751
ShowWindow.USER32(00000008), ref: 0040579B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057CF
CreatePopupMenu.USER32 ref: 004057E0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004057F4
GetWindowRect.USER32(?,?), ref: 00405814
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040582D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405865
OpenClipboard.USER32(00000000), ref: 00405875
EmptyClipboard.USER32 ref: 0040587B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405887
GlobalLock.KERNEL32(00000000), ref: 00405891
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A5
GlobalUnlock.KERNEL32(00000000), ref: 004058C5
SetClipboardData.USER32(0000000D,00000000), ref: 004058D0
CloseClipboard.USER32 ref: 004058D6

Strings

{, xrefs: 004057B9
(7B, xrefs: 00405841

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f086514403ad079958e05c79f9398a2ee239ec86c73215fd307c521ee98444fa
Instruction ID: f8c5fe522ebc9739dae7df13929d3a15495bf3740f19f89270c8c50aa4207807
Opcode Fuzzy Hash: f086514403ad079958e05c79f9398a2ee239ec86c73215fd307c521ee98444fa
Instruction Fuzzy Hash: AFB15870900608FFDB11AFA0DD85AAE7B79FB44354F00847AFA45B61A0CB754E51DF68

Function 00404D90 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DA8
GetDlgItem.USER32(?,00000408), ref: 00404DB3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404DFD
LoadBitmapW.USER32(0000006E), ref: 00404E10
SetWindowLongW.USER32(?,000000FC,00405388), ref: 00404E29
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E3D
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E4F
SendMessageW.USER32(?,00001109,00000002), ref: 00404E65
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E71
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E83
DeleteObject.GDI32(00000000), ref: 00404E86
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EB1
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EBD
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F53
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404F7E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F92
GetWindowLongW.USER32(?,000000F0), ref: 00404FC1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FCF
ShowWindow.USER32(?,00000005), ref: 00404FE0
SendMessageW.USER32(?,00000419,00000000,?), ref: 004050DD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405142
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405157
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040517B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040519B
ImageList_Destroy.COMCTL32(?), ref: 004051B0
GlobalFree.KERNEL32(?), ref: 004051C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405239
SendMessageW.USER32(?,00001102,?,?), ref: 004052E2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004052F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00405311
ShowWindow.USER32(?,00000000), ref: 0040535F
GetDlgItem.USER32(?,000003FE), ref: 0040536A
ShowWindow.USER32(00000000), ref: 00405371

Strings

M, xrefs: 00404F3A
, xrefs: 00405349
N, xrefs: 0040501B

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction ID: 31ae2990ecb9e768136dc40aca02b7f59ce629e1f3cadc681249b7cbd6abf0de
Opcode Fuzzy Hash: dd7e303e7a082920acbddfa323b9c1fe09c51fd00b8ac91a0555c01a181f07cb
Instruction Fuzzy Hash: 09027DB0A00609EFDB209F54DC45AAE7BB5FB44354F10817AE610BA2E0C7798E52CF58

Function 00404814 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404863
SetWindowTextW.USER32(00000000,?), ref: 0040488D
SHBrowseForFolderW.SHELL32(?), ref: 0040493E
CoTaskMemFree.OLE32(00000000), ref: 00404949
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 0040497B
lstrcatW.KERNEL32(?,Call), ref: 00404987
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404999

Part of subcall function 004059F6: GetDlgItemTextW.USER32(?,?,00000400,004049D0), ref: 00405A09

Part of subcall function 00406644: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\presupuesto urgente.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
Part of subcall function 00406644: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
Part of subcall function 00406644: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\presupuesto urgente.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
Part of subcall function 00406644: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\presupuesto urgente.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A5C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A77

Part of subcall function 00404BD0: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
Part of subcall function 00404BD0: wsprintfW.USER32 ref: 00404C7A
Part of subcall function 00404BD0: SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

(7B, xrefs: 00404911
Call, xrefs: 00404975, 0040497A, 00404985
A, xrefs: 00404937
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 00404964

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet$Call
API String ID: 2624150263-3384855386
Opcode ID: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction ID: 8d8d1438250e4d518a9e2371570913b63a9457987511b3c3302aefac7d34506d
Opcode Fuzzy Hash: f04caca690f49e87266c44fb9cab88c370668c693f36f0659ef379fd8dc31e70
Instruction Fuzzy Hash: B3A184F1A00209ABDB119FA5CD45AAF77B8EF84314F14843BFA01B62D1D77C99418B6D

Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet, xrefs: 004021BD

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet
API String ID: 542301482-91662111
Opcode ID: d21109b947604d2aeedf4ad2c9da0992de00d0e594a19d7853b024dfbf8c0e49
Instruction ID: fcf7de762e0310186ccf97c85ab7d5ba58e988de4da68cff16f28a22b081737a
Opcode Fuzzy Hash: d21109b947604d2aeedf4ad2c9da0992de00d0e594a19d7853b024dfbf8c0e49
Instruction Fuzzy Hash: EE414A75A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44

Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: d93f1720afb55d10142a5d85e05fc16c00c53f1b0b53f4af4ae9949186ca55c3
Instruction ID: 1506565ccd7b679c7f55cec76d0c208d7a3b57e4c41f2eb52868ec6bdbdc004a
Opcode Fuzzy Hash: d93f1720afb55d10142a5d85e05fc16c00c53f1b0b53f4af4ae9949186ca55c3
Instruction Fuzzy Hash: 38F05E71A04104ABD710EBA4DA499ADB368EF00314F2005BBF541F21D1D7B84D919B2A

Function 00403E6C Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA8
ShowWindow.USER32(?), ref: 00403EC5
DestroyWindow.USER32 ref: 00403ED9
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF5
GetDlgItem.USER32(?,?), ref: 00403F16
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F2A
IsWindowEnabled.USER32(00000000), ref: 00403F31
GetDlgItem.USER32(?,00000001), ref: 00403FDF
GetDlgItem.USER32(?,00000002), ref: 00403FE9
SetClassLongW.USER32(?,000000F2,?), ref: 00404003
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404054
GetDlgItem.USER32(?,00000003), ref: 004040FA
ShowWindow.USER32(00000000,?), ref: 0040411B
EnableWindow.USER32(?,?), ref: 0040412D
EnableWindow.USER32(?,?), ref: 00404148
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415E
EnableMenuItem.USER32(00000000), ref: 00404165
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417D
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404190
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041BA
SetWindowTextW.USER32(?,00423728), ref: 004041CE
ShowWindow.USER32(?,0000000A), ref: 00404302

Strings

(7B, xrefs: 004041AA

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction ID: 85a8b1cb5875a9f0130709c86f20b78f231723f1bf47f2e7597622744019d293
Opcode Fuzzy Hash: a59e4a4ec43d7d40c0b393105adb60ca25607e9856a65bb271622870994d4568
Instruction Fuzzy Hash: 88C1A1B1640200FFDB216F61EE85D2B3BA8EB95305F40053EFA41B21F0CB7959529B6E

Function 004044E2 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404580
GetDlgItem.USER32(?,000003E8), ref: 00404594
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045B1
GetSysColor.USER32(?), ref: 004045C2
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045D0
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045DE
lstrlenW.KERNEL32(?), ref: 004045E3
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045F0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404605
GetDlgItem.USER32(?,0000040A), ref: 0040465E
SendMessageW.USER32(00000000), ref: 00404665
GetDlgItem.USER32(?,000003E8), ref: 00404690
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046D3
LoadCursorW.USER32(00000000,00007F02), ref: 004046E1
SetCursor.USER32(00000000), ref: 004046E4
LoadCursorW.USER32(00000000,00007F00), ref: 004046FD
SetCursor.USER32(00000000), ref: 00404700
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040472F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404741

Strings

Call, xrefs: 004046BF
N, xrefs: 0040467E
YD@, xrefs: 004046EC

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$YD@
API String ID: 3103080414-3276248472
Opcode ID: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction ID: b733f22c3e4a4344af423a89e947fb2470a434e6d87e1c723dfed1fecd84da00
Opcode Fuzzy Hash: 777072e4300f85645cf7ffde5545d8883defabb32dd208014d98b1e23baa6229
Instruction Fuzzy Hash: E16172B1A00209BFDB109F60DD85AAA7B69FB85354F00813AFB05BB1E0D7789951CF58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00405FFC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406197,?,?), ref: 00406037
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406040

Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
Part of subcall function 00405E07: lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 0040605D
wsprintfA.USER32 ref: 0040607B
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060B6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060C5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FD
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 00406153
GlobalFree.KERNEL32(00000000), ref: 00406164
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040616B

Part of subcall function 00405EA2: GetFileAttributesW.KERNELBASE(00000003,00402F57,C:\Users\user\Desktop\presupuesto urgente.exe,80000000,00000003), ref: 00405EA6
Part of subcall function 00405EA2: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405EC8

Strings

[Rename], xrefs: 004060E5, 004060F7
%ls=%ls, xrefs: 00406071

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction ID: 7a97944e4ecdd21f919348e7cfc29446421eaa6be6f71a8f5a2bdcac5b6ce208
Opcode Fuzzy Hash: cc1e011b744674eb6045294d1f1ba8016b3cffab7c6b3a5cc0e4edd922729f6b
Instruction Fuzzy Hash: 953139703007157BC2206B259D49F673A6CEF45714F15003AFA42FA2D2DE7C992586AD

Function 00406644 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\presupuesto urgente.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066A7
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066B6
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\presupuesto urgente.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066BB
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\presupuesto urgente.exe",00403464,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 004066CE

Strings

"C:\Users\user\Desktop\presupuesto urgente.exe", xrefs: 00406644
C:\Users\user\AppData\Local\Temp\, xrefs: 00406645, 0040664A
*?|<>/":, xrefs: 00406696

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\presupuesto urgente.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1327597434
Opcode ID: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction ID: 91382b34e261ab6a6b837a41ec70345278d3faa82d58aea2d88f3062b19e38b1
Opcode Fuzzy Hash: 77b224228f8c57f44dbd024cb25da7c2d773c522f2af8fdd1da9e6af7933f215
Instruction Fuzzy Hash: 8C11E61580070295DB302B149C40E7766B8EF587A4F12483FED86B32C0E77E4CD286AD

Function 004043AC Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C9
GetSysColor.USER32(00000000), ref: 004043E5
SetTextColor.GDI32(?,00000000), ref: 004043F1
SetBkMode.GDI32(?,?), ref: 004043FD
GetSysColor.USER32(?), ref: 00404410
SetBkColor.GDI32(?,?), ref: 00404420
DeleteObject.GDI32(?), ref: 0040443A
CreateBrushIndirect.GDI32(?), ref: 00404444

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 701ae6dfa2b2a9365c03cf2c9b1b76f0db24f0feb35c46e7544c905291b2d973
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 4B216671500704AFCB219F68DE48B5BBBF8AF81714F04893EED95E22A1D774E944CB54

Function 00405414 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
SetWindowTextW.USER32(00422708,00422708), ref: 00405481
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction ID: b4c9d1203d7b93b364d12d55a96473d81469f1a16e33619bfa53f57c996d0385
Opcode Fuzzy Hash: ae6ed24060c0e1e5203a454600f337dd8354be9e28b06d37a059070ec5477373
Instruction Fuzzy Hash: 0E219071900518BACF119FA5DD85ADFBFB4EF45364F10803AF904B62A0C3794A90CFA8

Function 00402E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402E8D
GetTickCount.KERNEL32 ref: 00402EAB
wsprintfW.USER32 ref: 00402ED9

Part of subcall function 00405414: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000,?), ref: 0040544C
Part of subcall function 00405414: lstrlenW.KERNEL32(00402EEC,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EEC,00000000), ref: 0040545C
Part of subcall function 00405414: lstrcatW.KERNEL32(00422708,00402EEC,00402EEC,00422708,00000000,00000000,00000000), ref: 0040546F
Part of subcall function 00405414: SetWindowTextW.USER32(00422708,00422708), ref: 00405481
Part of subcall function 00405414: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054A7
Part of subcall function 00405414: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054C1
Part of subcall function 00405414: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054CF

CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EFD
ShowWindow.USER32(00000000,00000005), ref: 00402F0B

Part of subcall function 00402E56: MulDiv.KERNEL32(00000000,00000064,0005D5FB), ref: 00402E6B

Strings

... %d%%, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 9d96e1b775b00f8f1aa504ccf668d13eff31e418fbd4a6343fc61565dbea9545
Instruction ID: c2ec4548d439a14d597b05689786213ff5532ac021c242b5895b0761ec4a5705
Opcode Fuzzy Hash: 9d96e1b775b00f8f1aa504ccf668d13eff31e418fbd4a6343fc61565dbea9545
Instruction Fuzzy Hash: 0501C430440724EBCB31AB60EF4CB9B7B68AB00B44B50417FF945F12E0CAB844558BEE

Function 00404CDE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404CF9
GetMessagePos.USER32 ref: 00404D01
ScreenToClient.USER32(?,?), ref: 00404D1B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D2D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D53

Strings

f, xrefs: 00404D2F

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: b067d4b0ecc7c77c1c3f0caef97ada8ed48413e9bef28a1d47140c0a876cf8aa
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: AD015E71A0021DBADB00DB94DD85BFEBBBCAF95715F10412BBA50B62D0C7B899018BA4

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38

Strings

Tahoma, xrefs: 00401E1E

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: dd5e8fa4d463f4addcea7a8cc9fa64d55b0ecfa5d277173ec9cca7ca7d10c693
Instruction ID: c2f05a2c3ba2ec5405c4fe8fe652dd8f1d703414ee124caa90b8b383e79e86eb
Opcode Fuzzy Hash: dd5e8fa4d463f4addcea7a8cc9fa64d55b0ecfa5d277173ec9cca7ca7d10c693
Instruction Fuzzy Hash: 3201B171904241EFE7006BB0AF4AB9A7FB0BF55301F10493EF242B71E2CAB800469B2D

Function 00402DD7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
wsprintfW.USER32 ref: 00402E29
SetWindowTextW.USER32(?,?), ref: 00402E39
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E4B

Strings

unpacking data: %d%%, xrefs: 00402E17, 00402E27
verifying installer: %d%%, xrefs: 00402E1E

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction ID: 0bc749b122006b2f9f6abad3e9991ed6065550717762caf8ffdc158a825a6066
Opcode Fuzzy Hash: 5563c221c1669b5fd2184c8b70bdefae7b5ad080d5cf5862aa05c867891839d9
Instruction Fuzzy Hash: 69F0367154020DABDF206F50DD4ABEA3B69FB00714F00803AFA06B51D0DBFD55598F99

Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 1000256D
GlobalFree.KERNEL32(00000000), ref: 100025A8

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69

Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
GlobalFree.KERNEL32(?), ref: 00402950
GlobalFree.KERNEL32(00000000), ref: 00402963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction ID: c824e8dfb1c84b3956194132b72a9c46ff30f807773af65f81dcebc4e122496d
Opcode Fuzzy Hash: 71fa0d7f1f6972b2f5f4a603ea8383ed055fcf66cbac6c56c0d77bb029e8dc11
Instruction Fuzzy Hash: 6521BFB1800128BBDF216FA5DE49D9E7E79EF09364F10023AF960762E0CB7949418B98

Function 00404BD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C71
wsprintfW.USER32 ref: 00404C7A
SetDlgItemTextW.USER32(?,00423728), ref: 00404C8D

Strings

%u.%u%s%s, xrefs: 00404C5B
(7B, xrefs: 00404C63

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction ID: 703546cccce40a16f7c4e0327b319c47dc4604cc2262111db7ea86f65ec4581c
Opcode Fuzzy Hash: 58f77135636fcca40ac9b9d1b3b9f97977a6748d84aaa2f98ffb75d2f2ac1724
Instruction Fuzzy Hash: 0911E7736041287BEB00556DAD46EAF329CDB85374F254237FA66F31D1DA79CC2182E8

Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED

Strings

C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll, xrefs: 004025AD, 004025D4, 004025E8, 00402634
C:\Users\user\AppData\Local\Temp\nsj72EF.tmp, xrefs: 004025DB

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj72EF.tmp$C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll
API String ID: 3109718747-1293460741
Opcode ID: 04c8a0be0a3c8b5bca7af342d1437c7cd7f7eafe97cd42d6f17c4336303185e8
Instruction ID: 778b7e41730bacb68cbd472b7e3a637cf80abcfea8faeb2db308f16ae4ae4a1c
Opcode Fuzzy Hash: 04c8a0be0a3c8b5bca7af342d1437c7cd7f7eafe97cd42d6f17c4336303185e8
Instruction Fuzzy Hash: 35112E72A00204BBDB146FB18F8D99F76649F55394F20443BF502F61C1DAFC48425B5E

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100022D0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002411

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D5D
GetClientRect.USER32(00000000,?), ref: 00401D6A
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
DeleteObject.GDI32(00000000), ref: 00401DA8

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1cce6cf5ba1aed4fa5ce4547bc0ae4b149cf4eb258e4777d2c59333f9832c14c
Instruction ID: a606f7d5b7d9f25f85f3a996f6cf1d54ca927bfb9af82e5c1f6e8eb7e31f2730
Opcode Fuzzy Hash: 1cce6cf5ba1aed4fa5ce4547bc0ae4b149cf4eb258e4777d2c59333f9832c14c
Instruction Fuzzy Hash: 88F0FF72604518AFDB01DBE4DF88CEEB7BCEB08341B14047AF641F61A1CA749D518B78

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction ID: 90968196233f782bf8ff3785c90d26ea0bd53ded382d002e8ee2e27c6658862d
Opcode Fuzzy Hash: 8f57c4960d5009b47da13ac1dbf9672dc76c0f1a0d468b1b2fcc5bc99a892ac9
Instruction Fuzzy Hash: 6121C171948209AEEF05EFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB28

Function 00405C81 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 00405C87
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403476,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,004036D5,?,00000006,00000008,0000000A), ref: 00405C91
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CA3

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C81

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 792cc20aee96bfe2db1a273563d78520df22e3750eb0c1a77993888458b10d09
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: DBD0A731111631AAC1116B458D05CDF769C9F46315342143BF501B30A1C77C1D6187FD

Function 00405D89 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063B0: lstrcpynW.KERNEL32(?,?,00000400,0040355A,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063BD

Part of subcall function 00405D2C: CharNextW.USER32(?,?,00425F30,?,00405DA0,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405D3A
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D3F
Part of subcall function 00405D2C: CharNextW.USER32(00000000), ref: 00405D57

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0,00000000), ref: 00405DE2
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,75922EE0,00405ADE,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405DF2

Strings

0_B, xrefs: 00405D8F

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction ID: 7d5bbe1e5c8c3abe72dbe24b1e5e7d34393fbb328f3a5d3c645332532cfc401b
Opcode Fuzzy Hash: 9ab52294f1c51de88c4a4db8473d9fc5f5165192c0b0c0d383058277ec03ae92
Instruction Fuzzy Hash: 61F0D125114E6156E62232364D0DBAF1954CE8236474A853BFC51B22D1DB3C8953CDAE

Function 00405388 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053B7
CallWindowProcW.USER32(?,?,?,?), ref: 00405408

Part of subcall function 00404391: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A3

Strings

, xrefs: 00405398

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction ID: e7a51b5005e981c4ca122d20ba3fe12824fd99f760bfe42b36e815d14bf77052
Opcode Fuzzy Hash: 7f0b268359981ce96b8471a5d3c832aa899a6e6df9d4a1bd192212e4a6da3699
Instruction Fuzzy Hash: 5C01717120060DABDF209F11DD84AAB3735EB84395F204037FE457A1D1C7BA8D92AF69

Function 0040627E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,00422708,00000000,?,?,Call,?,?,004064F2,80000002), ref: 004062C4
RegCloseKey.ADVAPI32(?,?,004064F2,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,00422708), ref: 004062CF

Strings

Call, xrefs: 00406285

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: eb1f67c4e7283d14696156d079f1c46a9bcf05f485b6848abf2eef10094c0e69
Instruction ID: c3e7de0656b9710826ab6423f517e97bb9b3954c36c3ca231a2eb326ebdf078d
Opcode Fuzzy Hash: eb1f67c4e7283d14696156d079f1c46a9bcf05f485b6848abf2eef10094c0e69
Instruction Fuzzy Hash: 80019A32500209EADF219F90CC09EDB3BA8EF55360F01803AFD16A21A0D738DA64DBA4

Function 00403A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,00403A00,75923420,004037FF,00000006,?,00000006,00000008,0000000A), ref: 00403A43
GlobalFree.KERNEL32(?), ref: 00403A4A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A3B

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 78aecf43d79df039942bc1d46619d1d902388d1bf991e2316d5006033f35a71e
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: D9E08C32A000205BC6229F45ED04B5E7B6C6F48B22F0A023AE8C07B26087745C82CF88

Function 00405CCD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\presupuesto urgente.exe,C:\Users\user\Desktop\presupuesto urgente.exe,80000000,00000003), ref: 00405CD3
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F80,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\presupuesto urgente.exe,C:\Users\user\Desktop\presupuesto urgente.exe,80000000,00000003), ref: 00405CE3

Strings

C:\Users\user\Desktop, xrefs: 00405CCD

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 4c3d9e560c0c996ae094f7ef7b1b4ed865fc8cc67bffad09b41611580a74fc2a
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 03D05EB2414A209AD3126704DD01D9F73A8EF12314746442AE841A6161E7785C918AAC

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.4505515296.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4505502087.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505526475.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.4505538713.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_presupuesto urgente.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405E07 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E17
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E2F
CharNextA.USER32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E40
lstrlenA.KERNEL32(00000000,?,00000000,004060F0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E49

Memory Dump Source

Source File: 00000000.00000002.4503386018.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4503350841.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503406564.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000452000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503425431.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4503548313.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_presupuesto urgente.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: dc3323509655add47458b7bfdc28b409d7665b879035d0867add309d4545c2bc
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 89F06236104518EFC7029BA5DD40D9FBBA8EF06354B2540BAE980F7211D674DF01AB99

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report presupuesto urgente.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsj72EF.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsq6CC3.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\Envy.Vir

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\Gemyser.Red

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\bushers.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\meropidae.kej

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Eddadigtet\plastron.ori

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Gaulin.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
presupuesto urgente.exe

Function 00403489 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 412
stringfilecomCOMMON

Function 00405ABE Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406ABA Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 00403ABE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402F14 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 004063D2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 0040671A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004058E3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405ED1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON